Debian/cryptroot

From Servfire
Jump to: navigation, search

Leaving for holidays but want to set up a temporary key so your server can keep booting while you're away?

First, we add a key to the root drive:

cryptsetup luksKeyAdd /dev/md1 (replace your root drive here)

cryptsetup will ask you for a current key, then what key you want to add (and verify it too). Doesn't matter what length it is or whatever, since this method will end up storing a plain text copy in the initramfs image anyway and is totally insecure, but it gives you a method to boot the crypted root without entering a key, for temporary reasons.

Next, we need to make a short little script that will do the key entry on boot, it's pretty simple, make a file, like /usr/local/sbin/root-keyscript, chmod +x it, and add:

#!/bin/sh
echo -n basicTempKey

Where basicTempKey is whatever the key was you just added in, this key will be stored in cleartext, as I mention above, and is totally insecure, but at least you can revoke it from luks when you get back from holidays :)

And to finish, edit your /etc/crypttab, and on your root entry, next to the luks option, change it to include our keyscript:

md1_crypt UUID=f27ade18-7440-41e0-afc7-f86d4dc6c889 none luks,keyscript=/usr/local/sbin/root-keyscript

Finally, update the initramfs with:

update-initramfs -u

And done, on the next reboot, the key stored in the initramfs will be used instead of asking you for one. When you get back, delete the keyscript change in /etc/crypttab, update-initramfs -u, and cryptsetup luksRemoveKey /dev/md1 (or whereever your root drive is), you can wipe the keyscript out if you want, but since the key is removed from LUKS, it's not any use to anyone now :)