I’ve been playing around with dm-crypt and LUKS.

I’ve come up with a 10-step process to encrypt a couple of hard disks (not the boot drive) and use a USB key plugged in at boot time to unlock them – boot without the USB key in, and you boot fine, but the drives aren’t mounted or readable.

Initially I was going to try some UDEV rules to unlock+mount the drives whenever a USB key was plugged in, but in true UDEV style, it didn’t work – we got an endless loop of cryptsetup processes, also there’s a method for reading the keyfile from the USB drive from Grub, but that didn’t seem to work either, so I’m sticking with my method below.

  1. Create a partition on each disk, optionally filling with random data first:
dd if=/dev/urandom of=/dev/sdb
dd if=/dev/urandom of=/dev/sdc

fdisk /dev/sdb
fdisk /dev/sdc
  1. Format and encrypt in one command:
luksformat -t ext3 /dev/sdb1
luksformat -t ext3 /dev/sdc1
  1. Fill keyfile with random data:
dd if=/dev/urandom of=secretkey bs=512 count=4
  1. Add keyfile to LUKS volumes:
cryptsetup luksAddKey /dev/sdb1 secretkey
cryptsetup luksAddKey /dev/sdc1 secretkey
  1. Fill USB key with random data, an old 64Mb disk took a few minutes:
dd if=/dev/urandom of=/dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0
  1. Write keyfile to USB key’s MBR, note this will be invisible as its outside the partition table, and there’s no partitions defined, so it won’t mount the drive either:
dd if=secretkey of=/dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0  bs=512 seek=4
  1. Secure delete the keyfile from hard disk – note you still have the passphrase (created in #2) to unlock the volumes if things go wrong:
shred --remove --zero secretkey
  1. Update /etc/crypttab (chown root:root, chmod 600):
data1 /dev/sdb1 /dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0 luks,keyscript=/usr/local/bin/unlock-luks
data2 /dev/sdc1 /dev/disk/by-id/usb-Mobile_Drive_7777777777777777-0\:0 luks,keyscript=/usr/local/bin/unlock-luks
  1. Create /usr/local/bin/unlock-luks (chown root:root, chmod 700):

if [ -e $1 ]
dd if=$1 bs=512 skip=4 count=4
  1. Mount the encrypted volume at boot.

We do this in /etc/rc.local (chown root:root, chmod 700) as its the last part of the boot process – testing to see if LUKS managed to map the volumes first:

#!/bin/sh -e

if [ -e /dev/mapper/data1 -a -e /dev/mapper/data2 ] 
mount /dev/mapper/data1 /export/data1
mount /dev/mapper/data2 /export/data2

exit 0