[Bug 1876535] [NEW] Decrypt LUKS partition with key from USB - fall back to keyboard
ole.tange
launchpad.net at tange.dk
Sun May 3 00:08:07 UTC 2020
Public bug reported:
(dpkg -S /usr/share/initramfs-tools/scripts/local-top/cryptroot says the
package is cryptsetup-initramfs, but the bug system refuses that).
It would be ideal to me if I could simply have a small USB stick
containing a passphrase that will unlock the disk. Not only would that
be handy for servers (where you could leave the USB stick in the
server - the goal is to be able to return broken harddisks without
having to worry about confidential data), it would also be great for
my laptop: Insert the USB stick when booting and remove it after
unlocking the cryptodisk.
I have now written a patch that will search the root dir of all
devices for the file 'cryptkey.txt' and try decrypting with each line
as a key. If that fails: Revert to typing in the pass phrase.
It does mean the key cannot contain \n, but that would apply to any
typed in key, too. The good part is that you can use the same USB disk
to store the keys for multiple machines: You do not need a separate USB
disk for each. So if you have a USB drive in your physical key ring,
you can use the same drive for all the machines you boot when being
physically close - even if they have different keys.
You add the key with:
cryptsetup luksAddKey /dev/sda5
And then put the same key as a line in a file on the USB/MMC disk
called 'cryptkey.txt'.
The newest version of the patch can be found at:
https://gitlab.com/ole.tange/tangetools/-/tree/master/decrypt-root-with-
usb/ubuntu-20.04
I hereby release the patch under the same license as /usr/share
/initramfs-tools/scripts/local-top/cryptroot
** Affects: cryptsetup (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1876535
Title:
Decrypt LUKS partition with key from USB - fall back to keyboard
Status in cryptsetup package in Ubuntu:
New
Bug description:
(dpkg -S /usr/share/initramfs-tools/scripts/local-top/cryptroot says
the package is cryptsetup-initramfs, but the bug system refuses that).
It would be ideal to me if I could simply have a small USB stick
containing a passphrase that will unlock the disk. Not only would that
be handy for servers (where you could leave the USB stick in the
server - the goal is to be able to return broken harddisks without
having to worry about confidential data), it would also be great for
my laptop: Insert the USB stick when booting and remove it after
unlocking the cryptodisk.
I have now written a patch that will search the root dir of all
devices for the file 'cryptkey.txt' and try decrypting with each line
as a key. If that fails: Revert to typing in the pass phrase.
It does mean the key cannot contain \n, but that would apply to any
typed in key, too. The good part is that you can use the same USB disk
to store the keys for multiple machines: You do not need a separate USB
disk for each. So if you have a USB drive in your physical key ring,
you can use the same drive for all the machines you boot when being
physically close - even if they have different keys.
You add the key with:
cryptsetup luksAddKey /dev/sda5
And then put the same key as a line in a file on the USB/MMC disk
called 'cryptkey.txt'.
The newest version of the patch can be found at:
https://gitlab.com/ole.tange/tangetools/-/tree/master/decrypt-root-
with-usb/ubuntu-20.04
I hereby release the patch under the same license as /usr/share
/initramfs-tools/scripts/local-top/cryptroot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1876535/+subscriptions
More information about the foundations-bugs
mailing list