On 2017-08-22 15:00, Marco Cavallini wrote: > Hi, > I'd like to use something like a keyfile instead of a passphrase for > my encrypted volume. > My goal is to decrypt my volume without user intervention. > For example I can read the UUID of a disk partition and use that as password. > The easiest place where to add my code seems crypt_get_key() function > in lib/utils_crypt.c > > Maybe someone already came across this problem and I am trying to > re-invent the wheel, for this reason I'm asking advice to the dm-crypt > gurus. > > Comment and hints will ve greatly appreciated. > Thank you I'm not a guru, but I do that easily. /etc/crypttab: cr_home /dev/disk/by-id/something-part5 none none cr_two /dev/disk/by-uuid/someuuid /home/cer/Keys/the_two_keyfile auto /etc/fstab: /dev/mapper/cr_home /home xfs lazytime,,nofail 0 2 /dev/mapper/cr_two /data/two xfs user,lazytime,exec,nofail 1 3 "/data/two" is mounted automatically without asking for the passphrase, after home is mounted. You should not have the key file available on a non-encrypted mount, of course. Or not one that is always available on the computer, or the thieves will open your files. The key file is a random generated file of 4096 bytes. The second device is encrypted normally, with a password. Later you create the key file (on another device), then add it: time dd iflag=fullblock if=/dev/random of=the_two_keyfile bs=512 count=8 cryptsetup luksAddKey /dev/sdd1 /home/cer/Keys/the_two_keyfile crypto_unmap cr_two cryptsetup luksOpen --key-file=/home/cer/Keys/the_two_keyfile /dev/sdd1 cr_two HTH -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
