Is it possible to encrypt a hard disk with a key file instead of a password?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
13
down vote

favorite
4












Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






encryption luks disk-encryption







share|improve this question

























    up vote
    13
    down vote

    favorite
    4












    Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



    Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






    encryption luks disk-encryption







    share|improve this question























      up vote
      13
      down vote

      favorite
      4









      up vote
      13
      down vote

      favorite
      4






      4





      Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



      Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






      encryption luks disk-encryption







      share|improve this question













      Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



      Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






      encryption luks disk-encryption




      encryption luks disk-encryption






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Sep 25 '16 at 10:08









      Nithin

      3031213




      3031213




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26

















          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f312197%2fis-it-possible-to-encrypt-a-hard-disk-with-a-key-file-instead-of-a-password%23new-answer', 'question_page');

          );

          Post as a guest

















          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26














          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26












          up vote
          10
          down vote










          up vote
          10
          down vote









          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer












          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Sep 25 '16 at 11:59









          Celada

          30k46181




          30k46181







          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26












          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26







          1




          1




          Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
          – dbanet
          Sep 25 '16 at 17:07




          Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
          – dbanet
          Sep 25 '16 at 17:07












          @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
          – Celada
          Sep 25 '16 at 20:41




          @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
          – Celada
          Sep 25 '16 at 20:41












          dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
          – Nithin
          Sep 26 '16 at 5:26




          dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
          – Nithin
          Sep 26 '16 at 5:26












          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32














          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32












          up vote
          3
          down vote










          up vote
          3
          down vote









          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer














          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 mins ago

























          answered Sep 25 '16 at 20:46









          marcelm

          1,050310




          1,050310











          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32
















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32















          can you also mention how to configure LUKS to use the keyfile instead of the password?
          – Nithin
          Sep 26 '16 at 5:31




          can you also mention how to configure LUKS to use the keyfile instead of the password?
          – Nithin
          Sep 26 '16 at 5:31












          @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
          – marcelm
          Sep 26 '16 at 9:32




          @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
          – marcelm
          Sep 26 '16 at 9:32

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f312197%2fis-it-possible-to-encrypt-a-hard-disk-with-a-key-file-instead-of-a-password%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
          Read more

          Bahrain

          Image
          For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
          Read more

          Postfix configuration issue with fips on centos 7; mailgun relay

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
          Read more