mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Changing FDE decrypt key after installation

Sat Sep 23, 2017 1:25 pm

I installed Solus with FDE.

But instead of using password to open my system, I want to use keyfile located on USB stick so that the rest of my family do not need to remember additional passwords. I have been reading Arch wiki (Unlocking the root partition at boot) about how to add additional keys besides password, but I don't know how to check if needed kernel modules are loaded, and how to add needed things into kernel boot parameters.

This has something to do with `/etc/kernel/cmdline`, but could somebody tell me how to proceed so that I won't lock my Solus installation completely?

sunnyflunk
Development Team
Posts: 2750
Joined: Sun Mar 13, 2016 11:35 pm

Re: Changing FDE decrypt key after installation

Sun Sep 24, 2017 10:25 pm

mclang wrote:
Sat Sep 23, 2017 1:25 pm
I installed Solus with FDE.

But instead of using password to open my system, I want to use keyfile located on USB stick so that the rest of my family do not need to remember additional passwords. I have been reading Arch wiki (Unlocking the root partition at boot) about how to add additional keys besides password, but I don't know how to check if needed kernel modules are loaded, and how to add needed things into kernel boot parameters.

This has something to do with `/etc/kernel/cmdline`, but could somebody tell me how to proceed so that I won't lock my Solus installation completely?
Adding kernel parameters has now been documented in the Help Center as part of Boot Management. See https://solus-project.com/articles/trou ... solus-boot

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Mon Sep 25, 2017 5:53 pm

Thank You, I will check it out.

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Tue Sep 26, 2017 6:49 am

One thing needs clarification.

In Boot Management page, kernel parameters are added directly into file `/etc/kernel/cmdline`. That file does not exist in my system, but instead there is `/etc/kernel/cmdline.d` directory, under which is one file `10_resume.conf`.

If I create `/etc/kernel/cmdline` file, does it overwrite things in `/etc/kernel/cmdline.d` or the other way around?

sunnyflunk
Development Team
Posts: 2750
Joined: Sun Mar 13, 2016 11:35 pm

Re: Changing FDE decrypt key after installation

Wed Sep 27, 2017 3:39 am

mclang wrote:
Tue Sep 26, 2017 6:49 am
One thing needs clarification.

In Boot Management page, kernel parameters are added directly into file `/etc/kernel/cmdline`. That file does not exist in my system, but instead there is `/etc/kernel/cmdline.d` directory, under which is one file `10_resume.conf`.

If I create `/etc/kernel/cmdline` file, does it overwrite things in `/etc/kernel/cmdline.d` or the other way around?
No, so what happens is you can specify parameters via `/etc/kernel/cmdline` (this is the one the user typically edits for their changes), and also via `/etc/kernel/cmdline.d/*.conf`.

The instruction in the docs will create the file. It provides a distinguish between user changes and system changes. You could add the data to `/etc/kernel/cmdline.d/99_derpmcderpface.conf` and it would have the same impact.

Perhaps the clarification is to confirm that the file isn't expected to exist till you create it with the command (though most people just paste the command without thinking about it).

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Wed Sep 27, 2017 2:03 pm

I try to think and read before doing anything potentially stupid.

Thanks for the info, I try to use keyfile on USB to unlock encryption as soon as I have the time.

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Fri Dec 22, 2017 8:34 pm

I'm finally trying this again
I have a FAT formatted USB drive, into which I created keyfile:

Code: Select all

# mkdir /run/media/mclang/MY-LUKS-USB/.luks-keys
# dd if=/dev/random of=/run/media/mclang/MY-LUKS-USB/.luks-keys/luks-root-key bs=1 count=256 status=progress
Before proceeding I created backup password key as index 6 in case anything goes wrong.

After making sure the backup password works, I added the keyfile as the first LUKS key for the root partition:

Code: Select all

# cryptsetup luksChangeKey /dev/sda2 /run/media/mclang/MY-LUKS-USB/.luks-keys/luks-root-key -S 0
I tested that the keyfile works by adding another password using the keyfile. Then, after getting the UUID of the USB stick with `lsblk -f`, I created kernel command line config file with following contents:

Code: Select all

# echo 'rd.luks.key=/.luks-keys/luks-root-key:UUID=9887-9924' | tee /etc/kernel/cmdline.d/01-luks-root-key.conf
Finally I updated boot parameters:

Code: Select all

# clr-boot-manager update
And rebooted... but with no luck. I still get the password prompt :(

Any ideas what can be wrong? How to check that all needed modules like FAT are loaded when booting? What else I should check?

If I can't get this to work, I have to install Solus OS again, but this time without FDE because other members of the family just can't bother to remember the crypt password :cry:

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Sun Dec 24, 2017 11:06 pm

A tough came to my mind while reading dracut and systemd cryptsetup things:
Do I need to run `systemd-cryptsetup-generator` somehow to get the keyfile recognized?

Seems like a longshot because I haven't seen it mentioned anywhere with FDE things, but I don't know what to try next :(

EDIT: Okay, it seems that `systemd-cryptsetup-generator` is run at boot, so that is not a problem.

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Thu Jan 04, 2018 1:19 pm

Could somebody help me with this?

Or at least tell me how I could provide more info so that this issue can be solved...

mclang
Posts: 23
Joined: Mon Sep 18, 2017 8:50 pm

Re: Changing FDE decrypt key after installation

Wed Jan 10, 2018 9:28 am

I tried to get this working also by moving the keyfile into `/boot/luks-root-key`

The UUID of my boot partition is `A3E0-1D9D` as seen here:

Code: Select all

# lsblk -f

sda                                                                                                           
├─sda1                                        vfat                     A3E0-1D9D                              /boot
└─sda2                                        crypto_LUKS              37c4fd79-1b5d-4782-84cb-d25935dae6e7   
  └─luks-37c4fd79-1b5d-4782-84cb-d25935dae6e7 LVM2_member              8RtfI1-Hg6I-gJCg-2k3M-q9ln-AqdA-gsKOOn 
    ├─SolusSystem-Swap                        swap                     8908ed3b-d989-44b6-96f5-2cc576319e74   [SWAP]
    └─SolusSystem-Root                        ext4                     1b04ab0a-2e71-45b0-9662-1b65365d89f4   /
So I put this in `/etc/kernel/cmdline.d/01-luks-root-key.conf`:

Code: Select all

luks.key=/luks-root-key:UUID=A3E0-1D9D
Still no luck - I need to enter encryption password manually :(

Return to “Installation”