Results 1 to 2 of 2

Thread: Include an additional encrypted Device in the "Startup Decrypting Process"

  1. #1
    Join Date
    Mar 2013
    Beans
    3

    Include an additional encrypted Device in the "Startup Decrypting Process"

    Hi everyone,

    I hope this is the right place to ask this question. I've been searching the web for weeks now and I didn't find similar topics in the forum, so I made this new thread.

    What I've done so far:
    I've installed Ubuntu 12.04 LTS with the Alternate Installation CD on my HTPC. As partitioning method, I chose Guided - use entire disk and set up encrypted LVM because I wanted to have a fully encrypted system.
    I also have a luks encrypted mdadm RAID 5 device which contains all my video and audio files. At the moment I have to enter a password for the root partition on startup and after having logged in, I have to manually mount my data RAID device (from command line, since I use XBMC as HTPC user session).

    What I would like to do:
    I only want to type in one password at boot time but I want to decrypt the boot partition and the encrypted data RAID at the same time.
    I read that it is possible to decrypt other devices with key derivation. I tried several steps mentioned in wikis but I didn't get it to work. I probably don't have enough knowledge about fstab and crypttab and how these two files work together.

    Does anybody know a way to achieve this?
    Last edited by Steven McTowelie; April 12th, 2013 at 12:47 AM.

  2. #2
    Join Date
    Mar 2013
    Beans
    3

    Re: Include an additional encrypted Device in the "Startup Decrypting Process"

    I've figured it out (with the help of this German wiki page: http://wiki.ubuntuusers.de/LUKS/Schl%C3%BCsselableitung). If anyone else is interested, here is a short walk through:
    (I'm not a Linux pro - any suggestions on how it might have been done better are welcome).


    Step 1

    Open /etc/crypttab in order to find out what "mapper name" your root partition has:
    vi /etc/crypttab

    You should then be able to see an entry like this one (the xxxxx... stands for the disk's UUID):
    sda5_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks

    (So in my case the encrypted root partition's name is sda5_crypt.)



    Step 2
    The next step is to derive the encryption key into the already encrypted drive.

    sudo -i
    mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram
    /lib/cryptsetup/scripts/decrypt_derived
    sda5_crypt > /mnt/ram/tmp.key && cryptsetup luksAddKey /dev/disk/by-uuid/UUID-OF-YOUR-ENCRYPTED-DISK-YOU-WANT-TO-DECRYPT-ON-STARTUP-TOGETHER-WITH-BOOT /mnt/ram/tmp.key && rm /mnt/ram/tmp.key

    EDIT:
    You don't need to use the UUID here; It should also work this way
    /lib/cryptsetup/scripts/decrypt_derived sda5_crypt > /mnt/ram/tmp.key && cryptsetup luksAddKey /dev/sdX1/2/... /mnt/ram/tmp.key && rm /mnt/ram/tmp.key
    (END EDIT)


    umount /mnt/ram && rmdir /mnt/ram


    You will be asked to type in the password for your encrypted disk which you should type in of course.



    Step 3
    Next thing I did was editing the file /etc/fstab (I'm not sure whether this is necessary).
    vi /etc/fstab or sudo vi /etc/fstab if you're no t in sudo mode anymore

    Add a new line with the following:
    /dev/mapper/MAPPER-NAME-OF-YOUR-ENCRYPTED-DISK /mnt/MOINTPOINT-DIRECTORY ext2/3/4 defaults 0 1

    (Of course the directory in /mnt needs to be created first. In my case the line I added was the following:
    /dev/mapper/data /mnt/data ext4 defaults 0 1
    since I always mounted my ext4 formatted data RAID with these commands:
    sudo cryptsetup luksOpen /dev/md/0 data
    sudo mount /dev/mapper/data /mnt/data

    Save the file by typing :wq!



    Step 4
    Re-open the file /etc/crypttab.
    vi /etc/crypttab or sudo vi /etc/crypttab if you're not in sudo mode anymore.

    Add a new line with the following:
    data UUID=UUID-OF-YOUR-ENCRYPTED-DISK-YOU-WANT-TO-DECRYPT-ON-STARTUP-TOGETHER-WITH-BOOT sda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

    Save the file by tpying :wq!


    Step 5
    Refresh the boot/start files and reboot with this/these command(s);
    update-initramfs -u -k all && init 6 or sudo update-initramfs -u -k all && sudo init 6 if you're not in sudo mode anymore.


    That's it. I hope it's useful for some security obsessed people out there
    Last edited by Steven McTowelie; April 12th, 2013 at 01:44 AM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •