Linux – Using space before 1st partition of USB-Stick as luks key

arch linuxcryptsetupdm-cryptluks

I'm using arch linux with an encrypted luks root partition (boot unencrypted), with a passphrase yet.
Now I have a keyfile (3072 bytes), that's written to USB-Stick this way:

sudo dd if=tempKeyFile.bin of=/dev/sdd bs=512 seek=1 count=6

and also set as additional pass

sudo cryptsetup luksAddKey /dev/sdb6 tempKeyFile.bin

When I open the partition manually with:

sudo cryptsetup --key-file tempKeyFile.bin open /dev/sdb6 luks_root

everything works, the partition is mapped and can be mounted.
Now my kernel-parameter-line in grub.cfg looks like this:

linux /vmlinuz-linux root=UUID=$UUID_OF_luks_root$ rw cryptdevice=UUID=$UUID_OF_sdb6$:luks_root cryptkey=/dev/sdd:1:6

But when booting, I get this error:

No key available with this passphrase.
Invalid Keyfile. Reverting to passphrase.

I already tried offset 2 instead of 1, but same result. I noticed it doesn't say, that the keyfile could not be found/read, but was incorrect.

There seems to be little documentation about this way of storing luks keyfile. Arch-wiki mentions it, but very briefly and I seem to be conform, so I think it should be possible.

in my mkinitcpio.conf MODULES, BINARIES and FILES are empty and I set:

HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)

so block is right before encrypt.

What's the problem here?

Best Answer

From the ArchLinux encrypt hook (/lib/initcpio/hooks/encrypt):

*)
    # Read raw data from the block device
    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
    ;;

So while it supports reading a key from a raw block device, it uses a blocksize of 1 (instead of the default 512), so you have to multiply your values by 512 to make it work.

So instead of cryptkey=/dev/sdd:1:6 try cryptkey=/dev/sdd:512:3072.

Related Question