Re: Decrypt Ubuntu Root with Key-file on USB

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash via PLUG-discuss
Date:  
To: Main PLUG discussion list
CC: Michael Butash
Subject: Re: Decrypt Ubuntu Root with Key-file on USB
I saw this pop up on news.ycombinator.com last week, using a yubikey to
unlock your drives I found interesting and intend to try with a new
hardware device. I use luks extensively today, but have not done so with
full systemd integration, so this is a cool evolutionary mechanism I've
been waiting for to include hardware crypto keys. Not quite a plain-jane
usb disk, but but a yubikey can be had cheap for what we do.

http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

I've been using my yubikey with keepassxc past year or so, and would like
to do so with my hard drive encryption as well, so I would say start here.
Should be fairly agnostic between ubuntu and arch. I use arch, so will see
if/when I get around to rebuilding my existing system or a new box.

-mb


On Fri, Feb 5, 2021 at 8:18 AM Sebastian via PLUG-discuss <
> wrote:

> Is anyone familiar with how to boot Ubuntu, and make grub use the key-file
> on the USB that is plugged into it?
> I'm trying to not need to type in the password on the device when it
> boots, but still have an encrypted root partition.
> If not, how do people keep drives encrypted in production environments
> when using Ubuntu? (Could answer this as well, "if so", since this is just
> my guess for what production environments use)
>
> (because this is what online searches bring)
> I do *not *mean:
> Boot from an encrypted USB.
> Decrypt and mount an encrypted volume at boot *AFTER* typing in the
> decryption password for root once already.
> Encrypt boot partition as well as root.
>
> Everything I found online was one of the above three things, or is Arch
> and doesn't apply to Ubuntu.
>
> I thought "eh, just do it the same way as Arch in boot parameters, as they
> both use grub, right?", but that didn't work...
> (cryptkey=devID:filesystem:fileLocation cryptdevice=devID:decrypt_root
> root=/dev/mapper/decrypt_root => update-grub)
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss