dm-crypt with LUKS – /etc/crypttab using either keyfile or passphrase

Posted on

Problem :

I have my home partition encrypted using dm-crypt and LUKS header. I have two slots in its header: first one is a passphrase and second is keyfile. I have keyfile on external drive which I use only as ‘encrypting device’. My /etc/crypttab looks like this:

# <target name> <source device>  <key file>              <options>
home            UUID="..."       /dev/sdb1:/home.key     luks,keyscript=/lib/cryptsetup/scripts/passdev,discard

Now everything works well, but I’d like my computer to ask me to type passphrase in case it cannot find device with keyfile. I’ve tried to add home to crypttab twice. First record was configured to use passphrase and had timeout in options. Second one was that presented above. It doesn’t work.

Is there any possibility to configure system in this way?

Solution :

What you need is a fallback pass on slot 1 — will post link to tutorial i use fom gentoo forums but in a nutshell pipe stdin (your kf) to a fifo which forces pass request you get a kf +pass and a fallback pass (in slot 2)

SLOT 1:   keyfile + pass
SLOT 2:   fallback pass (if slot 1 is unreachable /corrupt or its pass suffwrs same fate)

Leave a Reply

Your email address will not be published. Required fields are marked *