Hi Tim,
full disk encryption is provided by your distribution, usually
by some mechanism in the initrd. This is out of scope for this
mailing-list here.
However I can tell you that I have personally done something
similar to what you want.
What you need to do is either drop to a shell in the initrd
and mount the usb-key using that, or that you modify the
code in the initrd to mount that USB-stick and read the passphrase
from it. The other thing you could do with a remotely-accessible
shell in the initrd is that you could use that to
mount the encrypted volumes manually yourself and then
continue the root process, on debian with something like this:
exec switch_root /mnt/root /sbin/init
You copuld also hardcode the passprase in the initrd and
place initrd and kernel on that USB-key. That is what I have
done.
I can give you a bit of background about what a Debian initrd
looks like, and Ubuntu may be similar. All action happens in
/init, which on the initrd is a shell-script executed
by busybox and hence pretty straight-forward to change. For
testing, I just used the following "init". You can use something
like this to find out what commands work. After that
you can put in your custom init instead. You can also add
binaries to teh initrd, but you must make sure they are
either statically compiled or all libraries are there.
----
#!/bin/sh
export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
[ -d /proc ] || mkdir /proc
[ -d /tmp ] || mkdir /tmp
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
mount -t proc -o nodev,noexec,nosuid proc /proc
echo
echo "initrd is running"
echo "Using BusyBox..."
echo
exec /bin/ash --login
----
Now, how do you create or modify an initrd? Best reference I
have is this one here:
http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/
Regards,
Arno
On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
> I've enabled full disk encryption on a recent server install of Ubuntu
> (using the checkbox in the installer). This is there mainly for security
> when disks are replaced
>
> Unfortunately, we've had a few power failures and the requirement to enter
> the passphrase for LUKS at the physical terminal is an issue.
>
> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
> these internal to the server which is physically secured
>
> Is there a method to ensure the USB key is mounted prior to the password
> prompt and adding the keyfile as an additional method at startup?
>
> Thanks
>
> Tim
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
