Skip to main content
Unix & Linux

Return to Answer

inittab -> crypttab
Source Link
marcelm
marcelm
  • 2.8k
  • 1
  • 16
  • 16

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittabcrypttab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/crypttab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

Clarified how luks finds the keyfile.
Source Link
marcelm
marcelm
  • 2.8k
  • 1
  • 16
  • 16

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

AndThe third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

And /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).

Source Link
marcelm
marcelm
  • 2.8k
  • 1
  • 16
  • 16

It's possible to simply store the luks password in a file.

I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.

This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.

My /etc/inittab looks like this:

crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks

And /etc/crypt-data.key contains the luks password:

Tm90IHJlYWxseSBteSBwYXNzd29yZC4K

Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:

-rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key

You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).