The officially official Devuan Forum!

You are not logged in.

#1 2023-08-14 06:06:25

deutschem
Member
Registered: 2023-08-13
Posts: 5  

Luks decrypt home on boot with key and fallback password

Hi,

i 've configure successfully configured that my home partition was unlocked with a plugged in usb stick.
but i dont know how to configure the fallback (if stick is not pugged in use password).

the most hints are for systemd for ex:
https://forums.debian.net/viewtopic.php?t=152061

I use SysVinit

unplugged usb:
Sun Aug 13 21:44:58 2023: Starting remaining crypto disks...crypt_home (starting)...Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: Invalid key path
Sun Aug 13 21:44:58 2023: Cannot seek to requested keyfile offset.
Sun Aug 13 21:44:58 2023: crypt_home (failed)...^[[31mfailed.^[[39;49m
Sun Aug 13 21:44:58 2023: done.

thank you

regards

Last edited by deutschem (2023-08-14 06:07:21)

Offline

#2 2023-08-14 07:19:23

rolfie
Member
Registered: 2017-11-25
Posts: 1,171  

Re: Luks decrypt home on boot with key and fallback password

To make sure: you have not assigned a password to the encrypted /home as first step?

There is an option to cryptsetup named luksAddKey. With this option you can add further keys (either passwords or keyfiles) but this will ask for an already existing key. I have always used a passphrase as first key, and have no idea how to add a key with a keyfile as only option.

Offline

#3 2023-08-14 12:30:09

deutschem
Member
Registered: 2023-08-13
Posts: 5  

Re: Luks decrypt home on boot with key and fallback password

in my LUKS volume i have 2 slots, one (slot 0) with a password and the second (with lukdAddKey) with the keyfile.

Offline

#4 2023-08-14 15:37:20

rolfie
Member
Registered: 2017-11-25
Posts: 1,171  

Re: Luks decrypt home on boot with key and fallback password

Ok, then you have your fallback option already. I am not 100% sure how that works in your case, I am used to use full disk encryption.

What happens in your case when the key stick isn't plugged in? Do you end up in the initramfs?

Offline

#5 2023-08-14 16:10:23

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

Re: Luks decrypt home on boot with key and fallback password

This page might have the answer. It looks like you have to use a keyscript. https://stackoverflow.com/questions/197 … o-keyboard

I've never done that. I use a keyfile, and if the keyfile is doesn't work, I have a keyslot with a passphrase that I can use to fix it (make a new keyfile) after booting a live-CD or live-USB.

.

Offline

#6 2023-08-15 14:01:36

deutschem
Member
Registered: 2023-08-13
Posts: 5  

Re: Luks decrypt home on boot with key and fallback password

yes, sorry I wrote it unclear, i want the fallback on boot (Boot->Stick is plugged->encrypt with keyfile (this works)), now if stick is not plugged in i want boot-> ask for password (in my case in slot 0)
If i do not plug in the stick, then the boot process runs fine to the end but of course without /home mounted....

rolfie wrote:

Ok, then you have your fallback option already. I am not 100% sure how that works in your case, I am used to use full disk encryption.

What happens in your case when the key stick isn't plugged in? Do you end up in the initramfs?

Offline

#7 2023-08-15 14:04:48

deutschem
Member
Registered: 2023-08-13
Posts: 5  

Re: Luks decrypt home on boot with key and fallback password

yes, seems that is also my way to use keyfile on stick and if the key is lost/damaged i fix it with the password slot and a live CD, not fancy. I feel I do not trust the keyscript-thing

fsmithred wrote:

This page might have the answer. It looks like you have to use a keyscript. https://stackoverflow.com/questions/197 … o-keyboard

I've never done that. I use a keyfile, and if the keyfile is doesn't work, I have a keyslot with a passphrase that I can use to fix it (make a new keyfile) after booting a live-CD or live-USB.

.

Last edited by deutschem (2023-08-15 14:07:25)

Offline

#8 2023-08-15 16:53:18

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,486  

Re: Luks decrypt home on boot with key and fallback password

If i do not plug in the stick, then the boot process runs fine to the end but of course without /home mounted....

Maybe a script started by rc.local at the end of boot that checks to see if /home is mounted, and if it is not, it runs 'cryptsetup open <whatever>' and asks for the password. If your boot process without the usb stick is landing at a graphical login screen, you'll probably need to disable the display manager. Maybe the same script that mounts /home could start the DM, too.

Edit: Something like this. I didn't test this but I think it will work. Adjust the names for your setup.Disable the display manager in runlevel 2 using update-rc.d or sysv-rc-conf

#!/bin/sh

if grep -q '/dev/mapper/<name>' /proc/mounts ; then
	/etc/init.d/<display-manager> start
else
	cryptsetup open /dev/whatever  <name>
	mount /dev/mapper/<name>  <mountpoint>
	/etc/init.d/<display-manager> start
fi

exit 0

Offline

Board footer