LUKS – How to Mount a LUKS Partition at Boot

10.04encrypted-partitionluks

I have installed an Ubuntu machine with two encrypted LUKS partitions: one for / and one for /home.

I've reinstalled the machine to upgrade to 10.04. Again, the / is installed using LUKS, and I'm able to mount the /home using:

mkdir /media/home
sudo cryptsetup luksOpen /dev/sda2 home
sudo mount -t ext3 /dev/mapper/home /media/home

The problem is, this cryptfs mapper disappears after boot, so I putting the appropriate line in fstab fails.

How do I set the cryptfs to prompt for password and unlock the drive at boot?

Thanks,

Adam

Best Answer

Seems that I needed to edit the /etc/crypttab file, which is the crypto equivalent to fstab, and add the following line:

# create a /dev/mapper device for the encrypted drive
home    /dev/sda2       none luks

And add the following to /etc/fstab:

# /home LUKS
/dev/mapper/home /home ext4 rw 0 0

Now I get two password prompts at boot, as needed.

Related Solutions

Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How

This is more a comment than an answer, sorry. But since you didn't get any replies yet, I wanted to write something anyway.

As for how does it even work:

In the Initramfs you usually have one master process (usually a busybox based /init shell script) which is responsible for making the root partition available before handing off the boot process to the real init system of your Ubuntu install.

In case of dropbear in Initramfs, that is a separate process started by /init. Logging into dropbear you get a shell which is yet another process. All the while the original /init has to be running and waiting for something, in this case the LUKS password.

So what the /init script most likely does here, once it started dropbear, is create a named pipe, or fifo, i.e. the /lib/cryptsetup/passfifo. And then it reads from that named pipe. This read will block until there actually is something to read, so that's how /init hangs and waits for input.

Then some years later you log into dropbear and do your echo passphrase > /lib/cryptsetup/passfifo, at which point /init wakes up from its slumber and resumes to unlock LUKS and go on with the rest of the boot process.

And that's basically the general idea of how it works. If there is no documentation for it you would have to read the shell script.

As for a GPG encrypted key in Initramfs, I'm sure this is the standard method in Ubuntu somehow, probably to be set up via /etc/crypttab. Did you check the wiki for a howto?

It certainly would require GPG to be included in the Initramfs. but I outlined an alternative approach here which could be made to work without additional dependencies:

How do I use dm-crypt (LUKS) with GnuPG to use two-factor for FDE?

The problem with this is of course that it is not standard, so while it could be simpler in theory it might actually be harder to set up.

Ubuntu – Mount LUKS encrypted hard drive at boot

A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.

To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to

hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks

and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.

Best Answer

Related Solutions

Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How

Ubuntu – Mount LUKS encrypted hard drive at boot

Related Question