Is it possible to encrypt a hard disk with a key file instead of a password?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
13
down vote

favorite
4












Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






encryption luks disk-encryption







share|improve this question

























    up vote
    13
    down vote

    favorite
    4












    Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



    Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






    encryption luks disk-encryption







    share|improve this question























      up vote
      13
      down vote

      favorite
      4









      up vote
      13
      down vote

      favorite
      4






      4





      Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



      Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






      encryption luks disk-encryption







      share|improve this question













      Looking into hard disk encryption. the go to solution seems to be dm-crypt with LUKS using a password. I work with multiple independent hard disks mounted into a disk pool for reading. In this case, I have to type a password multiple times.



      Is there a way for me to encrypt the hard disks with a key file, maybe put it on a USB drive and just plug it in when necessary??






      encryption luks disk-encryption




      encryption luks disk-encryption






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Sep 25 '16 at 10:08









      Nithin

      3031213




      3031213




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26

















          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f312197%2fis-it-possible-to-encrypt-a-hard-disk-with-a-key-file-instead-of-a-password%23new-answer', 'question_page');

          );

          Post as a guest

















          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26














          up vote
          10
          down vote













          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer
















          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26












          up vote
          10
          down vote










          up vote
          10
          down vote









          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd






          share|improve this answer












          One of the best ways to do this is to use a smart card with a crypto key on it to unlock the keys for your encrypted block devices. You will only need to enter the passphrase (called "PIN" by the tools but it's really a passphrase) once, after which it will be cached. This has the added advantage of protecting the encrypted data with something-you-have (the smart card itself, out of which the private key cannot be extracted) and something-you-know (the passphrase).



          Format your /etc/crypttab like this:



          mapper-name /dev/disk/raw-device /var/lib/filename-containing-encrypted-key 
           luks,keyscript=/lib/cryptsetup/scripts/decrypt_opensc


          In Debian and derivatives, the initramfs-tools will notice the keyscript and copy all of the necessary tools and daemons for accessing the smart card to the initramfs automatically.



          Information on setting up the smart card and creating (and encrypting) the keys is found in /usr/share/doc/cryptsetup/README.opensc.gz.



          You can use a Yubikey 4 or Yubikey NEO among others for this purpose.



          Implementation notes: This feature has rough edges and apparently doesn't work out of the box so YMMV. The last time I successfully achieved it, I had to add the following hacks:



          • Disable systemd because it disastrously tries to take over the whole process of setting up encrypted devices from /etc/crypttab but it knows nothing about keyscript which leads to a big FAIL. Luckily, in Debian, you can still opt out of systemd.


          • Install this fixer-upper script as /etc/initramfs-tools/hooks/yubipin because the built-in feature didn't install quite enough support to get the Yubikey to be usable from the initramfs. You may need to adjust this.



            #!/bin/sh

            PREREQ=cryptroot

            prereqs()

             echo "$PREREQ"


            case $1 in
            prereqs)
             prereqs
             exit 0
             ;;
            esac

            # /scripts/local-top/cryptopensc calls pcscd with the wrong path
            ln -s ../usr/sbin/pcscd $DESTDIR/sbin/pcscd
            mkdir -p "$DESTDIR/usr/lib/x86_64-linux-gnu"
            # opensc-tool wants this dynamically, copy_exec doesn't know that
            cp -pL /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 "$DESTDIR/usr/lib/x86_64-linux-gnu/libpcsclite.so.1"
            mkdir -p "$DESTDIR/lib/x86_64-linux-gnu"
            # without this, pcscd aborts with a pthread_cancel error
            cp -pL /lib/x86_64-linux-gnu/libgcc_s.so.1 "$DESTDIR/lib/x86_64-linux-gnu/libgcc_s.so.1"
            # this gets copied as a dangling symlink, fix it
            rm "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            cp -pL /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist "$DESTDIR/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist"
            # pcscd needs this to open the reader once it has found it
            cp -pL /lib/x86_64-linux-gnu/libusb-1.0.so.0 "$DESTDIR/lib/x86_64-linux-gnu/libusb-1.0.so.0"



          • Install another script as /etc/initramfs-tools/scripts/local-bottom/killpcscd to clean up:



            #!/bin/sh

            set -e

            PREREQ=cryptopensc

            prereqs()

             echo "$PREREQ"


            case $1 in
             prereqs)
             prereqs
             exit 0
             ;;
            esac

            # because cryptopensc does not do it properly
            killall pcscd







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Sep 25 '16 at 11:59









          Celada

          30k46181




          30k46181







          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26












          • 1




            Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
            – dbanet
            Sep 25 '16 at 17:07










          • @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
            – Celada
            Sep 25 '16 at 20:41










          • dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
            – Nithin
            Sep 26 '16 at 5:26







          1




          1




          Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
          – dbanet
          Sep 25 '16 at 17:07




          Very nice incentive to use smart-cards and kudos for achieving that, but I'd say a distribution-specific method which involves changing init system and third-party hack scripts shoved into system directories with unreadable paths cannot be deemed as an answer to how to use passkey files question. Highlights the incredible mess these software are, tho.
          – dbanet
          Sep 25 '16 at 17:07












          @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
          – Celada
          Sep 25 '16 at 20:41




          @dbanet, I fully agree and I hope that someone else will come along and add an answer describing how to do this in some other simpler way. Then the OP can choose their favorite.
          – Celada
          Sep 25 '16 at 20:41












          dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
          – Nithin
          Sep 26 '16 at 5:26




          dbanet and @Celada, exactly my thoughts. This is far too complicated and even if I manage to do this, its proprietary, meaning another vendor would have another method. :(
          – Nithin
          Sep 26 '16 at 5:26












          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32














          up vote
          3
          down vote













          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer






















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32












          up vote
          3
          down vote










          up vote
          3
          down vote









          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).






          share|improve this answer














          It's possible to simply store the luks password in a file.



          I use this on my home computer; The root file system lives on a regular luks volume which I unlock with my passphrase at boot. An additional drive contains a luks volume with a generated password.



          This additional volume is unlocked by a password file which lives on the encrypted root file system. It is automatically unlocked during boot if the root file system is unlocked.



          My /etc/crypttab looks like this:



          crypt-root UUID=c5a2cf25-0aae-457e-874f-fca7ea3d5742 none luks
          crypt-data UUID=96d79323-246d-49e0-9149-ec3a4cfc1c1e /etc/crypt-data.key luks


          The third field is the keyfile, none for the root filesystem, but /etc/crypt-data.key for the data filesystem. /etc/crypt-data.key contains the luks password:



          Tm90IHJlYWxseSBteSBwYXNzd29yZC4K


          Note, a newline or any other white space will be taken as part of the password! Take care to generate this file without trailing newline. Also, ensure it has strict permissions:



          -rw------- 1 root root 59 Sep 14 23:57 /etc/crypt-data.key


          You should be able to duplicate this approach for multiple volumes (either with distinct passwords or one shared password, your choice).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 mins ago

























          answered Sep 25 '16 at 20:46









          marcelm

          1,050310




          1,050310











          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32
















          • can you also mention how to configure LUKS to use the keyfile instead of the password?
            – Nithin
            Sep 26 '16 at 5:31










          • @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
            – marcelm
            Sep 26 '16 at 9:32















          can you also mention how to configure LUKS to use the keyfile instead of the password?
          – Nithin
          Sep 26 '16 at 5:31




          can you also mention how to configure LUKS to use the keyfile instead of the password?
          – Nithin
          Sep 26 '16 at 5:31












          @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
          – marcelm
          Sep 26 '16 at 9:32




          @Nithin The keyfile is the third field in my example /etc/crypttab. I added a little extra text to make that clearer.
          – marcelm
          Sep 26 '16 at 9:32

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f312197%2fis-it-possible-to-encrypt-a-hard-disk-with-a-key-file-instead-of-a-password%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
          Read more

          Displaying single band from multi-band raster using QGIS

          Image
          Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fix it? –
          Read more

          How many registers does an x86_64 CPU actually have?

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this
          Read more