Full disk encryption with seperate boot and encrypted keyfile storage: Two-Form Authentication

Posted by Cain on Ask Ubuntu See other posts from Ask Ubuntu or by Cain
Published on 2012-11-05T22:26:28Z Indexed on 2012/11/05 23:18 UTC
Read the original article Hit count: 312

Filed under:
|
|
|

I am trying to setup true Full Disk encryption with two-form authentication on 12.04 and can not find out how to call a keyfile for the encrypted root out of another encrypted partition. All documentation or questions I am finding for whole or full disk encryption only encrypts separate partitions on the same disk.

This is not what most are calling full disk encryption, /boot is not on a partition on the root drive, rather it is on a usb stick as sdx1. Instead root is on a logical partition on top of a LUKS container. Luks is run on the whole disk, encrypting the partition table as well. All drives in the machine are completely encrypted and to open it it requires a USB drive (what I have) as well as a passphrase (what I know) resulting in Two-Form Authentication to boot the machine.

  • Device sdx > cryptroot > vg00 > lvroot > /

There is no passphrase to open the encrypted root device, only a keyfile. That keyfile is kept on the usb drive with /boot, in its own encrypted partition (I'll call this cryptkey). In order for the root file system (cryptroot) to be opened, initramfs must ask for the passphrase to cryptkey on the usb drive, then use the keyfile inside that to open cryproot.

I did manage to find what I think is the how-to I used to do this once before:

http://wiki.ubuntu.org.cn/UbuntuHelp:FeistyLUKSTwoFormFactor

I already have the system installed and can chroot into it, however, I can not get it to call for the keys on the USB during boot. I did find a how-to saying I needed to make a cryptroot conf for initramfs but, I believe that is for a passphrase:

https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto#Notes_for_making_it_work_in_Ubuntu_12.04_.22Precise_Pangolin.22_amd64

I also tried to setup crypttab. However, crypttab only works for drives mounted after the root drive as calling for a keyfile on a device not yet mounted to the system doesnt work. The Feisty how-to included scripts that would be run during boot instructing initramfs to mount the usb drive temporarily and call the keyfile for root which worked quite well except those scripts are outdated now, many of the things they relied on have been merged into something else, changed, or simply don't exist anymore.

If I have missed a clear how-to for this, that would be wonderful, I just don't think I have.

© Ask Ubuntu or respective owner

Related posts about 12.04

Related posts about boot