43 lines
1.8 KiB
Plaintext
43 lines
1.8 KiB
Plaintext
Using GnuPG keys for LUKS dm-crypt devices in Debian
|
|
====================================================
|
|
|
|
The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for
|
|
setups with a GnuPG encrypted LUKS keyfile.
|
|
|
|
The following example assumes that you store the encrypted keyfile in
|
|
`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
|
|
|
|
First, you'll have to create the encrypted keyfile:
|
|
|
|
dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
|
|
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
|
|
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
|
|
|
|
Next the LUKS device needs to be formated with the key. For that, the
|
|
`decrypt_gnupg` keyscript can be used:
|
|
|
|
/lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \
|
|
cryptsetup --key-file=- luksFormat /dev/<luks_device>
|
|
|
|
In order to unlock the encrypted LUKS device automatically during boot process,
|
|
add the following to `/etc/crypttab`:
|
|
|
|
cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg
|
|
|
|
|
|
Decrypting the keyfile at initramfs stage
|
|
-----------------------------------------
|
|
|
|
If the device is to be unlocked at initramfs stage (such as for the root FS or
|
|
the resume device), the provided initramfs hooks should do all additionally
|
|
required work for you when the initramfs is created or updated.
|
|
|
|
Be warned though, that for such devices the GnuPG encrypted key is copied to
|
|
the initramfs by the initramfs cryptgnupg hook. If you don't want this, you
|
|
should take a look at the initramfs cryptgnupg hook, which is located at
|
|
`/usr/share/initramfs-tools/hooks/cryptgnupg`.
|
|
|
|
-- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100
|
|
|
|
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200
|