<![CDATA[Dev1 Galaxy Forum / Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?id=5854 Tue, 15 Aug 2023 16:53:18 +0000 FluxBB <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43352#p43352

If i do not plug in the stick, then the boot process runs fine to the end but of course without /home mounted....

Maybe a script started by rc.local at the end of boot that checks to see if /home is mounted, and if it is not, it runs 'cryptsetup open <whatever>' and asks for the password. If your boot process without the usb stick is landing at a graphical login screen, you'll probably need to disable the display manager. Maybe the same script that mounts /home could start the DM, too.

Edit: Something like this. I didn't test this but I think it will work. Adjust the names for your setup.Disable the display manager in runlevel 2 using update-rc.d or sysv-rc-conf

#!/bin/sh

if grep -q '/dev/mapper/<name>' /proc/mounts ; then
	/etc/init.d/<display-manager> start
else
	cryptsetup open /dev/whatever  <name>
	mount /dev/mapper/<name>  <mountpoint>
	/etc/init.d/<display-manager> start
fi

exit 0
]]> Tue, 15 Aug 2023 16:53:18 +0000 http://dev1galaxy.org/viewtopic.php?pid=43352#p43352 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43346#p43346 yes, seems that is also my way to use keyfile on stick and if the key is lost/damaged i fix it with the password slot and a live CD, not fancy. I feel I do not trust the keyscript-thing

fsmithred wrote:

This page might have the answer. It looks like you have to use a keyscript. https://stackoverflow.com/questions/197 … o-keyboard

I've never done that. I use a keyfile, and if the keyfile is doesn't work, I have a keyslot with a passphrase that I can use to fix it (make a new keyfile) after booting a live-CD or live-USB.

.

]]> Tue, 15 Aug 2023 14:04:48 +0000 http://dev1galaxy.org/viewtopic.php?pid=43346#p43346 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43345#p43345 yes, sorry I wrote it unclear, i want the fallback on boot (Boot->Stick is plugged->encrypt with keyfile (this works)), now if stick is not plugged in i want boot-> ask for password (in my case in slot 0)
If i do not plug in the stick, then the boot process runs fine to the end but of course without /home mounted....

rolfie wrote:

Ok, then you have your fallback option already. I am not 100% sure how that works in your case, I am used to use full disk encryption.

What happens in your case when the key stick isn't plugged in? Do you end up in the initramfs?

]]> Tue, 15 Aug 2023 14:01:36 +0000 http://dev1galaxy.org/viewtopic.php?pid=43345#p43345 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43321#p43321 This page might have the answer. It looks like you have to use a keyscript. https://stackoverflow.com/questions/197 … o-keyboard

I've never done that. I use a keyfile, and if the keyfile is doesn't work, I have a keyslot with a passphrase that I can use to fix it (make a new keyfile) after booting a live-CD or live-USB.

.

]]> Mon, 14 Aug 2023 16:10:23 +0000 http://dev1galaxy.org/viewtopic.php?pid=43321#p43321 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43319#p43319 Ok, then you have your fallback option already. I am not 100% sure how that works in your case, I am used to use full disk encryption.

What happens in your case when the key stick isn't plugged in? Do you end up in the initramfs?

]]> Mon, 14 Aug 2023 15:37:20 +0000 http://dev1galaxy.org/viewtopic.php?pid=43319#p43319 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43317#p43317 in my LUKS volume i have 2 slots, one (slot 0) with a password and the second (with lukdAddKey) with the keyfile.

]]> Mon, 14 Aug 2023 12:30:09 +0000 http://dev1galaxy.org/viewtopic.php?pid=43317#p43317 <![CDATA[Re: Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43315#p43315 To make sure: you have not assigned a password to the encrypted /home as first step?

There is an option to cryptsetup named luksAddKey. With this option you can add further keys (either passwords or keyfiles) but this will ask for an already existing key. I have always used a passphrase as first key, and have no idea how to add a key with a keyfile as only option.

]]> Mon, 14 Aug 2023 07:19:23 +0000 http://dev1galaxy.org/viewtopic.php?pid=43315#p43315 <![CDATA[Luks decrypt home on boot with key and fallback password]]> http://dev1galaxy.org/viewtopic.php?pid=43314#p43314 Hi,

i 've configure successfully configured that my home partition was unlocked with a plugged in usb stick.
but i dont know how to configure the fallback (if stick is not pugged in use password).

the most hints are for systemd for ex:
https://forums.debian.net/viewtopic.php?t=152061

I use SysVinit

unplugged usb:
Sun Aug 13 21:44:58 2023: Starting remaining crypto disks...crypt_home (starting)...Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: crypt_home (failed)...^[[31mfailed.^[[39;49m
Sun Aug 13 21:44:58 2023: done.

thank you

regards

]]> Mon, 14 Aug 2023 06:06:25 +0000 http://dev1galaxy.org/viewtopic.php?pid=43314#p43314