Automounting LUKS encrypted root partition

Issues related to applications and software problems and general support
Post Reply
temmokan
Posts: 14
Joined: 2010/05/27 07:09:39
Location: Novosibirsk, Russia
Contact:

Automounting LUKS encrypted root partition

Post by temmokan » 2020/01/17 08:29:04

Hello,

I am trying to use password file to automount LUKS encrypted root partition. When default partitioning is used, CentOS 8 created a LV on /dev/sda2, so I create a password file:

Code: Select all

dd if=/dev/urandom of=/boot/.file bs=1024 count=4
chmod 400 /boot/.file
and add it to a new LUKS slot:

Code: Select all

cryptsetup luksAddKey /dev/sda2 /boot/.file
However, in /etc/crypttab the line, looking like

Code: Select all

luks-XXXXXX UUID=UUUU /boot/.file discard
still forces me to enter password on console, regardless of password file permissions, as if 'none' was specified.

Can a password file in /boot be used to automount root partition in this manner?

Note: the mentioned UUID=UUUU line corresponds to /dev/sda2; "cryptsetup luksDump" prints same data for them both.

Thanks.

hunter86_bg
Posts: 2018
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Automounting LUKS encrypted root partition

Post by hunter86_bg » 2020/01/17 09:34:57

Did you run 'dracut -f' ?

uma1988
Posts: 3
Joined: 2020/10/09 10:32:30

Re: Automounting LUKS encrypted root partition

Post by uma1988 » 2020/10/09 10:33:52

I am facing the same issue. Even after running dracut -f and regenerating the image. It still asks for the passphrase.

IICODECll
Posts: 2
Joined: 2020/10/13 00:28:36

Re: Automounting LUKS encrypted root partition

Post by IICODECll » 2020/10/13 01:14:39

I'm using full-disk-encryption on CentOS Linux 8 -- During provisioning, I'll create a flat-file to automatically unlock a LUKS encrypted volume during boot. This allows me to build a system before the BIOS has been completely configured (e.g. enabling SecureBoot), and then bind to the TPM module registers afterwards.

Let's start by creating a random file. In my case I placed it under /etc. I'll need to add a reference to it in dracut.d. Everything is encrypted except for /boot. I suppose I could have placed the file under /boot to avoid rebuilding initramfs with an additonal reference. Lessons for another time. Let's assume the filename is .zSk276a.

Code: Select all

dd bs=512 count=4 if=/dev/random of=/etc/.zSk276a iflag=fullblock
chmod 600 /etc/.zSk276a
# Restore SELinux context with restorecon, if it's available:
restorecon -RvF /etc/.zSk276a
Let's add the key to the LUKS metadata for each encrypted volume. In my case it was a single LVM, but standard partitions will work too.

Code: Select all

PRIMARY_DISK=nvme0n1  # replace with the desired disk, and sniff out the encrypted partitions...
for devnode in /dev/${PRIMARY_DISK}*
  do
    if cryptsetup isLuks ${devnode}
      then
        echo "secret" | cryptsetup luksAddKey ${devnode} /etc/.zSk276a
    fi
done
The passphrase prompt still appeared during boot, but it'll unlock the volume successfully. We can impede the passphrase prompt by adding a drop-in unit. More of a nuisance than anything else.

Code: Select all

mkdir -p /usr/lib/systemd/system/systemd-ask-password-plymouth.service.d
restorecon -RvF /usr/lib/systemd/system/systemd-ask-password-plymouth.service.d
cat << __EOF > /usr/lib/systemd/system/systemd-ask-password-plymouth.service.d/override.conf
[Service]
ExecStartPre=/bin/sleep 45
__EOF
restorecon -RvF /usr/lib/systemd/system/systemd-ask-password-plymouth.service.d/override.conf
Next, we need to tell dracut to include the file the next time initramfs is regenerated:

Code: Select all

cat << __EOF > /etc/dracut.conf.d/systemd-ask-password-plymouth.conf
# Make sure override is available in the initramfs
install_items+=" /usr/lib/systemd/system/systemd-ask-password-plymouth.service.d/override.conf "
__EOF
restorecon -RvF /etc/dracut.conf.d/systemd-ask-password-plymouth.conf
Now, we need to tell dracut to include /etc/.zSk276a file.

Code: Select all

cat << __EOF > /etc/dracut.conf.d/zSk276a.conf
# Make sure override is available in the initramfs
install_items+=" /etc/.zSk276a "
__EOF

restorecon -RvF /etc/dracut.conf.d/zSk276a.conf
sed -i.bak 's/none/\/etc\/\.zSk276a/g' /etc/crypttab
restorecon -RvF /etc/crypttab
The crypttab should look similar to this:

Code: Select all

luks-38706dbc-0123-4c62-9031-5d1d699178ab UUID=38706dbc-0123-4c62-9031-5d1d699178ab /etc/.zSk276a discard
Let's rebuild the initramfs for all kernels:

Code: Select all

dracut -f -v --regenerate-all
Verify the files we added are included with the lsinitrd command.

Code: Select all

# lsinitrd | grep systemd-ask-password-plymouth | grep override.conf
-rw-r--r--   1 root     root           37 Jan  3 13:12 usr/lib/systemd/system/systemd-ask-password-plymouth.service.d/override.conf
Reboot, and see if that works.

uma1988
Posts: 3
Joined: 2020/10/09 10:32:30

Re: Automounting LUKS encrypted root partition

Post by uma1988 » 2020/10/13 09:00:46

Thanks, it worked.

I ran the following command
dracut -f -i /boot/.file /boot/.file
to make it work.

Post Reply

Return to “CentOS 8 - General Support”