EncryptedFSRemovableKeyDeviceHowto

Revision 1 as of 2009-04-23 23:41:43

Clear message

WARNING

WORK IN PROGRESS
THIS HOWTO IS NOT YET COMPLETED.
PLEASE DO NOT EDIT THIS PAGE AND DO NOT FOLLOW THE INSTRUCTIONS YET.
THANKS!

Encrypted LUKS FS with Removable Drive as Key Howto

Using this tutorial you can set up a LUKS encrypted partition to unlock at boot using a key stored on a removable device. Alternatively if the device is not present, you will be asked for a passphrase.

THE KEY WILL NOT BE STORED AS A FILE, BUT ITS BYTES WILL BE RAW-COPYED ON THE REMOVABLE DEVICE.

This tutorial assumes that you already have an encrypted partition and a removable device to store the key on.

Let's call /dev/sdX the encrypted drive/partition and /dev/sdY the removable device.

Formatting your removable device

Format your device as you want but make sure to create a not formatted partition where we're going to phisically write the key. Make sure to create a partition and not to just leave the space unallocated.

For example you may want to create 2 partitions: one fat32 for storing file as usually and one (not formatted) for the key.

You may use parted (Command Line Interface) or gparted (graphical UI), to install them just type: 

sudo apt-get install parted

or 

sudo apt-get install gparted

Let's call /dev/sdY2 the unformatted partition.

Creating the key

Now we need to create a new key and add it to to the encrypted drive. You can use the following command for a 256-byte password (if the command blocks, just move your mouse or press some keys to generate the needed entropy): 

dd if=/dev/random of=keyfile.key bs=1 count=256

Now add that key to the LUKS device (the encrypted one, not the removable one): 

sudo cryptsetup luksAddKey /dev/sdX keyfile.key

You'll need to provide a working key for that drive.

Writing the key to the removable device

Now we're going to write the generated key directly on the not formatted partition of the removabile device. The key will NOT be written as a file, but raw bytes will be copied. It will not be visible when mounted to a system. The not formatted partition ensures we have a mean to access the location where the key is stored and prevents other systems from messing with your device.

Now just do: 

sudo dd if=keyfile.key of=/dev/sdY2 bs=1 count=256

At this point you can safely remove the keyfile: 

shred -y keyfile.key

TO BE CONTINUED