The example values in the scripts and configs fit this config:
cryptsytem02:~$ lsblk -o name,uuid,mountpoint
NAME UUID MOUNTPOINT
sda
├─sda1 7c4412c5-31ab-4f83-ae9c-6229cf4e3b3a /boot
├─sda2
└─sda5 9d003550-9fbc-433f-b94d-e0e53f7d77fa
└─sda5_crypt 8Pe8WC-kMxq-D09F-eqXF-dNTu-CFQ8-X9Wq3l
├─ubuntu--vg-root
│ e1ed5467-dc20-4c99-9bb8-18d9a722d6aa /
└─ubuntu--vg-swap_1
0faaec1b-da87-4f44-8a82-210e2819212b [SWAP]
sdb
Thoroughly follow the steps specified below.
Warning: Be careful! If something goes wrong, your system may stop booting!
Replace the following values according to your system (use $ lslbk
to get your parameters):
sda5_crypt
-> your encrypted root partitionsda5
-> your unlocked root partitionsdb
-> your removeable device that will carry the key/dev/mapper/ubuntu--vg-root
-> your lvm name of root (on my test machine, this parameter was not needed)
Change the value of DECRYPTKEYDEVICE_DISKID
to the ID of your removable device that will carry the decryption key.
You may get the ID of the device via:
$ ls /dev/disk/by-id/
NOTE: You can specify multiple device ID's separated by a blank. This requires setting up each device individually as described in step 3.
First, run:
$ chmod +x ./generateKeyForCurrentDevice.sh
Subsequently, run once for each device that should carry a decryption key:
$ sudo ./generateKeyForCurrentDevice.sh
Enter an existing decryption pass phrase when asked to do so.
This creates the decryption key in the boot sector of the device and then adds it to your LUKS config. This also means that each removeable device will have a different decryption key.
NOTE: Make sure to keep only one device at a time connected to your machine, otherwise this won't work properly.
Create a backup of your initrd.img
:
$ ls /boot/initrd*
initrd.img-4.15.0-29-generic initrd.img-4.15.0-39-generic
$ sudo cp /boot/initrd.img-4.15.0-39-generic /boot/initrd.img-4.15.0-39-generic.bak
Then add the scripts to your boot config:
$ chmod +x ./initAutoUnlockOnBootConfig.sh
$ sudo ./initAutoUnlockOnBootConfig.sh
If no error occurred during execution, you should be good to reboot. Otherwise, check the previous steps again and adjust you config. Then run again. If the error persists, restore you backed up initrd.img
, otherwise you will most likely not be able to boot!
NOTE: If you have previously run `initAutoUnlockOnBootConfig.sh, you will get an error that the directory /etc/decryptkeydevice already exists. You can ignore this one!
https://www.len.ro/work/luks-disk-encryption-with-usb-key-on-ubuntu-14-04/
https://wiki.ubuntuusers.de/System_verschl%C3%BCsseln/Schl%C3%BCsselableitung/