Problems with cryptsetup keyfile encrypted root partition under Debian 9, i386

tyuxar · October 10, 2018, 11:19am

Hello, i'm trying to set up a machine with an encrypted filesystem. It's a Debian 9/i386.

The partition table on /dev/sda

1.    1 MiB BIOS BOOT  (04) N/A  N/A
2.  256 MiB Linux      (83) ext4 /boot
3. 2304 MiB Linux      (83) ext4 /
4.    1 MiB MINIX      (81) N/A  N/A
5.  510 MiB Linux swap (82) swap swap

When i finished the partitioning, i run these:

dd if=/dev/urandom of=/dev/sda4 bs=1 count=512
echo 'YES' | cryptsetup -v -c aes-xts-plain64 -s 512 -h sha256 -i 2000 --keyfile-size=512 luksFormat /dev/sda3 /dev/sda4
cryptsetup -c aes-xts-plain64 -d /dev/sda4 -s 512 -i 2000 --keyfile-size=512 open --type=plain /dev/sda3 eldcr
mkfs.ext4 -F /dev/sda2
e2label /dev/sda2 BootLabel
mkfs.ext4 -F /dev/mapper/eldcr
e2label /dev/mapper/eldcr RootLabel
mkdir -p /mnt/disk
mount /dev/mapper/eldcr /mnt/disk
mkswap /dev/sda5

/etc/fstab looks like this:

/dev/disk/by-partuuid/<partuuid of /dev/sda2> /boot ext4 errors=remount-ro 0 1
/dev/mapper/eldcr / ext4 errors=remount-ro 0 1
/dev/disk/by-partuuid/<partuuid of /dev/sda5> none swap sw 0 0

/etc/crypttab:

eldcr /dev/disk/by-partuuid/<partuuid of /dev/sda3> /dev/disk/by-partuuid/<partuuid of /dev/sda4> luks,cipher=aes-xts-plain64,size=512,hash=sha256,keyfile-size=512,time=2000,keyscript=getlukskey.sh

/etc/initramfs-tools/conf.d/cryptroot:

CRYPTROOT=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>

I modified some lines in /etc/default/grub:

GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"
GRUB_CMDLINE_LINUX=""
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/disk/by-partuuid/<partuuid of /dev/sda3>:eldcr root=/dev/mapper/eldcr cryptopts=target=eldcr,source=/dev/disk/by-partuuid/<partuuid of /dev/sda3>,keyscript=getlukskey.sh crypto=sha256:aes-xts-plain64:512:0:0

The scripts:

/lib/cryptsetup/scripts/getlukskey.sh:

#!/bin/sh
dd if=/dev/disk/by-partuuid/<partuuid of /dev/sda4> bs=1 count=512 2>/dev/null

/usr/share/initramfs-tools/hooks/glkcopy:

#!/bin/sh -e
PREREQS=""
case $1 in
        prereqs) echo "${PREREQS}"; exit 0;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /lib/cryptsetup/scripts/getlukskey.sh /bin
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass

And i added the following modules to /etc/initramfs-tools/modules: chainiv, cryptomgr, krng, cbc, ecb, ctr, aes, sha256, xts, dm-mod, dm-crypt

Then i install grub and make the initramfs:

grub-install --target=i386-pc --skip-fs-probe --efi-directory=/ --boot-directory=/boot --root-directory=/ /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
update-initramfs -c -k all

and in the end "update-initramfs -u -k". (The creation does not include my script, so i have to update it again...)

Result is "cryptsetup (eldcr): unknown fstype, bad password or options?" when i try to boot.

What is the problem?

I also tried to remove the "keyscript" from the boot options and the crypttab and put "cryptkey=/dev/disk/by-partuuid/<partuuid of /dev/sda4>:0:512" into the boot options. Then when i run the initramfs update it says: "WARNING: root target eldcr uses a key file, skipped." And after boot it asks for a password...

Any idea?

Corona688 · October 10, 2018, 11:22am

What, exactly, are you trying to accomplish? What ought to be happening here?

This is normal... No?

tyuxar · October 10, 2018, 11:51am

I am trying to create a Debian 9 system with the root partition encrypted with a keyfile which is stored on a different (and unformatted) partition. And the aim is to get the keyfile at boot automatically, so the machine asking for the password at boot is not the desired effect.

Peasant · October 11, 2018, 1:19am

So you want to encrypt your disk, with key on that same disk without password ?
You have accomplished nothing security wise, beats the propose of the entire encryption task.

Anyone can just power on your system and access the data.

If you mentioned external disk such as usb or similar, used to store key, perhaps the request would be more sane.
For that scenario check out luksAddKey options and examples online.

Hope the helps
Regards
Peasant.

tyuxar · October 11, 2018, 6:16am

The final goal is to put the key on USB, but right now i don't have any. This approach is solely exists for test and learning reasons. And since the USB key appears in the system as just another block device, like any partition, i'm trying to assemble the whole thing like this and then put the keyfile on USB.

I've searched through the net and i stucked. This is why i asked for help.

------ Post updated at 10:16 AM ------

I've checked out luksAddKey. It's not what i want to achieve. It's for adding an additional keyfile, but i don't want to add an additional keyfile, i want to use that one on /dev/sda4.

Corona688 · October 11, 2018, 1:32pm

It's not hard to convert a key on partition into a key on file.

dd if=/dev/sda4 of=/tmp/keyfile bs=sizeofkeyinbytes count=1

What instructions were you attempting to follow, exactly?

tyuxar · October 13, 2018, 2:14pm

I do not want to convert it to a keyfile. My aim is to use the raw partition to read the keyfile.

I've written ALL the instructions i did in my opening post.

Corona688 · October 15, 2018, 11:45am

Rejection of valid solution without even testing it noted.

Whose instructions were you following? I really doubt you're doing all this from scratch.