WARNING

WORK IN PROGRESS
THIS HOWTO IS NOT YET COMPLETED.
PLEASE DO NOT EDIT THIS PAGE AND DO NOT FOLLOW THE INSTRUCTIONS YET.
THANKS!

Encrypted LUKS FS with Removable Drive as Key Howto

Using this tutorial you can set up a LUKS encrypted partition to unlock at boot using a key stored on a removable device. Alternatively if the device is not present, you will be asked for a passphrase.

THE KEY WILL NOT BE STORED AS A FILE, BUT ITS BYTES WILL BE RAW-COPYED ON THE REMOVABLE DEVICE.

This tutorial assumes that you already have an encrypted partition and a removable device to store the key on.

Let's call /dev/sdX the encrypted drive/partition and /dev/sdY the removable device.

Formatting your removable device

Format your device as you want but make sure to create a not formatted partition where we're going to physically write the key. Make sure to create a partition and not to just leave the space unallocated.

For example you may want to create 2 partitions: one fat32 for storing file as usually and one (not formatted) for the key.

You may use parted (Command Line Interface) or gparted (graphical UI), to install them just type:

$ sudo apt-get install parted

or

$ sudo apt-get install gparted

Here's an example with parted:

$ sudo parted /dev/sdY
GNU Parted 1.8.9
Viene usato /dev/sdY
Benvenuti in GNU Parted. Digitare "help" per l'elenco dei comandi.
(parted) mklabel
Avviso: L'etichetta del disco su /dev/sdY verrà eliminata e tutti i dati su
questo disco saranno persi. Continuare?
Sì/Yes/No? Y                                                              
Tipo dell'etichetta del nuovo disco?  [msdos]? msdos                      
(parted) mkpartfs primary fat32 0 -8m
(parted) print                                                            
Modello: Generic USB Disk (scsi)
Disco /dev/sdY: 1032MB
Dimensione del settore (logica/fisica): 512B/512B
Tabella delle partizioni: msdos

Numero  Inizio  Fine    Dimensione  Tipo     File system  Flag
 1      512B    1024MB  1024MB      primary  fat32        lba 

(parted) mkpart primary 1024m -1s
(parted) print                                                                
Modello: Generic USB Disk (scsi)
Disco /dev/sdY: 1032MB
Dimensione del settore (logica/fisica): 512B/512B
Tabella delle partizioni: msdos

Numero  Inizio  Fine    Dimensione  Tipo     File system  Flag
 1      512B    1024MB  1024MB      primary  fat32        lba 
 2      1024MB  1032MB  7999kB      primary                   

(parted) quit       
Informazioni: Potrebbe essere necessario aggiornare /etc/fstab.                                                                 

Let's call /dev/sdY2 the unformatted partition.

Creating the key

Now we need to create a new key and add it to to the encrypted drive. You can use the following command for a 256-byte password (if the command blocks, just move your mouse or press some keys to generate the needed entropy):

$ dd if=/dev/random of=keyfile.key bs=1 count=256

Now add that key to the LUKS device (the encrypted one, not the removable one):

$ sudo cryptsetup luksAddKey /dev/sdX keyfile.key

You'll need to provide a working key for that drive.

Writing the key to the removable device

Now we're going to write the generated key directly on the not formatted partition of the removabile device. The key will NOT be written as a file, but raw bytes will be copied. It will not be visible when mounted to a system. The not formatted partition ensures we have a mean to access the location where the key is stored and prevents other systems from messing with your device.

Now just do:

$ sudo dd if=keyfile.key of=/dev/sdY2 bs=1 count=256

At this point you can safely remove the keyfile:

$ shred -y keyfile.key

Geting the id of the newly created partition

Run:

$ ls -l /dev/disk/by-id/ | grep sdY2
lrwxrwxrwx 1 root root 10 2009-04-24 15:45 '''usb-Generic_USB_Disk_000000000000DF-0:0-part2''' -> ../../sdc2

Here the important thing is: usb-Generic_USB_Disk_000000000000DF-0:0-part2 (you will get a different string)

TO BE CONTINUED