Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.
Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??
Best Answer
One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).
Format your
/etc/crypttab
like this:In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.
Information on setting up the smart card and creating (and encrypting) the keys is found in
/usr/share/doc/cryptsetup/README.opensc.gz
.You can use a Yubikey 4 or Yubikey NEO among others for this purpose.
Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:
systemd
because it disastrously tries to take over the whole process of setting up encrypted devices from/etc/crypttab
but it knows nothing aboutkeyscript
which leads to a big FAIL. Luckily, in Debian, you can still opt out ofsystemd
.Install this fixer-upper script as
/etc/initramfs-tools/hooks/yubipin
because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.Install another script as
/etc/initramfs-tools/scripts/local-bottom/killpcscd
to clean up: