HOWTO: Automatically unlock LUKS encrypted drives with a keyfile
Well, I have written so far two tutorials with LUKS/dm_crypt involved. First one was how to enable encryption on Feisty Fawn (wasn't included back then by default) and the other one was how to reboot/unlock through a remote connection.
This howto was then written because of a question in the second howto. The problem there was how to unlock multiple devices in the intial ramdisk remotely. I suggested instead to use a keyfile for automatic unlocking. The keyfile should be stored in the normally encrypted root partition - so you still have to unlock that one. During boot process it will then be used to unlock all the other devices.
Of course one could also use an encrypted LVM so that all space is encrypted but only one password is required. I have not seen a usage for LVM so far and it seems, that others do not also but prefer to have individual encrypted devices. That way you could easily move an encrypted harddisk to another computer. I'm not sure if that works with LVM encrypted drives also because I have no experience with it.
One might ask how secure is this setup? I'd say pretty safe. During this howto the keyfile will be made read-only to root. So, if someone can access the keyfile you have more serious problems anyway on your computer.
Step 1: Create a random keyfile
This will create a file with random content with the size of 4096 bits (better than a 20/30 character password....). You can use any file to act as keyfile but I think a 4kb file with random content is good suited.
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
Step 2: Make the keyfile read-only to root
That will make the keyfile readable only by root. If someone get access to this keyfile, then you have a bigger problem on your computer anyway.
sudo chmod 0400 /root/keyfile
Alternatively chown your desired keyfile to root:root and move it into the /root folder.
Step 3: Add the keyfile to LUKS
LUKS/dm_crypt enabled devices may hold up to 10 different keyfiles/passwords. So, next to having the already setup password we're going to add this keyfile as additional authorization method.
sdX is of course your LUKS device.
sudo cryptsetup luksAddKey /dev/sdX /root/keyfile
First you'll be prompted to enter an (existing) password to unlock the drive. If everything works well, you should get an output like this:
Step 4: Create a mapper
Enter any LUKS passphrase:
key slot 0 unlocked.
LUKS devices need to create a mapper that can then be referenced in the fstab. Open /etc/crypttab
and add then a line like this (or replace the existing one for that partition)
sudo nano /etc/crypttab
or you can use the UUID of the device
sdX_crypt /dev/sdX /root/keyfile luks
sdX_crypt is the name of the mapper that is being created. You can use here any name e.g. "music" or "movies" or "sfdsfawe" ....
sdX_crypt /dev/disk/by-uuid/247ad289-dbe5-4419-9965-e3cd30f0b080 /root/keyfile luks
Save and close the file by issuing ctrl-x, enter, enter. Ctrl-x closes nano but first it asks to save the file [yes = enter] and what the name shall be [same name = enter].
What we have done there actually is telling that /root/keyfile shall be used instead of password entry to unlock the drive.
Step 5: Mount the device in fstab
Now, we have an unlocked device (well, not yet but when the system is being booted up) and we just need to mount it now. Open /etc/fstab
and add a new entry like
sudo nano /etc/fstab
Make sure you have the correct mapper name that you added in step 4. Also make sure that the mount point/folder exists. After having added it, save again the file and close it (ctrl-x, enter, enter).
/dev/mapper/sdX_crypt /media/sdX ext3 defaults 0 2
Step 6: Reboot or remount
That's it. Now you can reboot and the additional devices should be auto-unlocked and mounted. You can also test it by remounting all devices