Hi folks,
I have Alpine Linux installed in an encrypted LUKS partition. I came across this tutorial which shows how to setup a key in a USB drive and when the drive is inserted and the computer booted, the LUKS partition auto-unlocks with the key on the USB drive.
I would like to setup the same thing but I do not have Alpine linux installed on ZFS, so I’m looking for ways to adapt the instructions.
So far, what I’ve done is:
- I’ve setup the key on the usb stick and I can unlock the LUKS partition with that key.
- create a
/etc/mkinitfs/features.d/usb-unlock.shscript with the following content:
(the echo to /dev/kmesg was to check whether the script did indeed run at boot by trying to print to the kernel messages but I can’t find anything in the kernel messages).
#!/bin/sh
echo "usb-unlock script starting..." > /dev/kmsg
USB_MOUNT="/mnt/my-usb-key" # The USB stick mounting point
LUKS_KEY_FILE="awesome.key" # The name of your keyfile on the USB stick
# Search for the USB stick with the key
for device in $(ls /dev/disk/by-uuid/*); do
mount $device $USB_MOUNT 2>/dev/null
if [ -f "$USB_MOUNT/$LUKS_KEY_FILE" ]; then
# Unlock the LUKS partition
cryptsetup luksOpen /dev/sda3 cryptroot \
--key-file "$USB_MOUNT/$LUKS_KEY_FILE" && exit 0
fi
umount $USB_MOUNT
done
echo "No USB key found, falling back to password prompt." # this message never appears, despite not having found the key on the usb stick
echo "usb-unlock script ending." > /dev/kmsg
- I added
usb-unlockto thefeaturesinmkinitfs.conf:
mytestalpine:~# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup keymap usb-unlock"
- run
mkinitfsto rebuild the initramfs. Then reboot to test the implementation, which was unsuccessful.
What am I missing / doing wrong? Thank you for your help!
Edit: forgot to add step 4
Dracut may have this functionality already built in via rd.luks.key, so a custom module would really only make sense if you’re trying to do more than that. You can probably get away with just using that if you just want it to work, but if you want to customize stuff:
I suspect your module is running well after the device is already supposed to be
cryptsetup opened. The way the default crypt module handles it is by setting up udev configuration in a very early phase, and then having udev request the password a little bit later when it finds the device it’s trying to open, until all devices are ready. It’s a complex mechanism compared to Alpine’s straightforward script, but it’s much more flexible when it comes to ordering of things like RAID/network devices/LUKS/etc.The result of that is that your code would have to run much earlier. There’s some documentation on how hooks work, and the builtin
rd.luks.key/ keydev handler runs at cmdline 10. That’s well before your pre-mount, and probably where you’d want to run your code. Based on a cursory inspection of the other code, you could eithercryptsetup openit yourself if you use the name it expects (rd.luks.name=cmdline parameter orluks-$luks_container_uuid), or you could use that/tmp/luks.keysmechanism (it’s a dracut-internal thing so you won’t find much documentation, but it lives in crypt-lib.sh, cryptroot-ask.sh and probe-keydev.sh).As for debugging, the cmdline manpage has a few decent enough options.
rd.break=cmdlineor similar can force a shell before Dracut goes through a specific phase of hooks. You should be able to manually test doing things similar to your script at that point.