/dev/blog

A luks encrypted disk partition is great. The only thing that can bug you from time to time is that you have to specify the key before you can use it. Or maybe, if you try to mount the volume with /etc/fstab, you’ll be prompted for the password during boot.

Wouldn’t it be great, if you could use a real key to unlock your encrypted volume? Not a keyfile, but a physically existent key like the ones you use to unlock your front door?!

Well, it’s not actually a key, but these LaCie USB Flash Drives come very close:

This article will show you, how to generate a random key for your luks encrypted volume, hide it on any USB flash drive and use udev to unlock and mount your luks volume whenever you plug this flash drive into a USB port

1. Generating a random keyfile

First, we need a random keyfile. Linux normally comes with two different random number generators: A blocking one called /dev/random and its non-blocking counterpart /dev/urandom.

The size of your keyfile and which RNG you use is totally up to you. Quite often you’ll find tutorials, that recommend something like

dd if=/dev/urandom of=secretkey bs=512 count=4

which generates a 2048byte or 2¹⁴bit keyfile. For more the paranoid under us:

dd if=/dev/random of=secretkey bs=1 count=4096

which generates a 4096byte or 2¹⁵bit keyfile. Notice that this uses the non-blocking RNG /dev/random and therefore can take quite some time (5mins+) depending on the current filling degree of the entropy pool.

2. Adding keyfile to LUKS-Volume

Adding this keyfile to your existing luks volume is no big deal

# cryptsetup luksAddKey /dev/md0 secretkey
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Command successful.

where /dev/md0 of course is the path to your luks device or partition

3. Hiding key

You could now just copy this keyfile to your USB drive as you can do it with any other file. But someone looking for the key would easily find it. So we’ll hide the key directly between MBR and the first partition.

WARNING: You should only follow this step if you know what you are doing – it can cause data loss and damage your partitions or MBR on the stick!

If you have a bootloader installed on your drive you have to adjust the values, e.g. Grub needs the first 16 sectors, so you would have to replace seek=4 with seek=16; otherwise you will overwrite parts of your Grub installation. When in doubt, take a look at the first 64 sectors of your drive and decide on your own where to place your key.

Optional:

dd if=/dev/usbstick of=64sectors bs=512 count=64  # copy first 64 sectors
ghex2 64sectors                                   # determine free space

Now you can write your key to the disk:

dd if=secretkey of=/dev/usbstick bs=512 seek=4

You should not simply use rm to delete the keyfile because rm only unlinks it from your filesystem (it would still be left physically intact). If everything went fine you can overwrite and delete your temporary secretkey with

shred --remove --zero secretkey

4. Udev Auto-Magic

We need to achieve two things: First, we have to make sure our USB drive containing the key can always be found under the same name. Second, we need to execute a shell script that unlocks the luks volume and mounts it whenever the USB drive is plugged into a USB port. This can be done with a small udev-rule

BUS=="usb",
KERNEL=="sd*",
ATTRS{manufacturer}=="laCie",
[...]
SYMLINK+="usbkey%n",
RUN+="/usr/local/bin/unlock-luks"

A tutorial on how to write udev-rules would go way beyond the scope of this article. Notice the highlighted lines: SYMLINK+="usbkey%n" ensures, that our USB drive can be found under /dev/usbkey and RUN+="/usr/local/bin/unlock-luks" runs a shell script every time we plug it in.

Save it as /etc/udev/rules.d/99-unlock-lucks.rules and reload all udev rules with

# udevadm control --reload-rules

To make sure that this happens only when the USB drive containing the key is plugged in, you have to specify some more attributes besides ATTRS{manufacturer}. You can query those attributes with udevadm. A nice document describing how to write udev rules can be found on http://www.reactivated.net/writing_udev_rules.html.

5. Mounting script

The udev-rule runs /usr/loca/bin/unlock-luks every time the USB drive containing the key is plugged in. We can do nearly everything within this script but it suggests itself to unlock the luks volume and mount it somewhere:

#!/bin/bash
dd if=/dev/usbkey bs=512 skip=4 count=8 | cryptsetup luksOpen /dev/md0 luksVolume --key-file=- && mount /dev/mapper/luksVolume /mnt/

Notice, that this skips the first 2048bytes and reads the next 4096bytes. If you generated a smaller of bigger keyfile, or placed you keyfile somewhere else on you USB drive in Section 3, YMWV!