Ask Your Question
2

How to auto mount Luks encrypted partition at boot in Fedora 22

asked 2015-07-08 17:40:17 -0600

shatadru gravatar image

updated 2015-07-08 17:44:04 -0600

Partition format :

|    Hard drive (/dev/sda)       |
| /boot      |  Encrypted Volume |
|/dev/sda1   | /dev/sda2         |
|            |  LVM (root,home)  |

Here is my fstab :

/dev/mapper/fedora21-root /                       ext4    defaults,x-systemd.device-timeout=0 1 1
UUID=<uuid> /boot                   ext4    defaults        1 2

Here is my /ect/crypttab :

luks UUID=<luks uuid> /boot/key_luks luks

I have added the key (/boot/key_luks) in one of the key slot of Luks

However while boot it is asking for password, is there a guide to properly automount a Lulks partition ? When only encrypted volume is /boot ?

JFYI : Added the key using following command :

  #dd if=/dev/urandom of=/boot/key_luks bs=1024 count=4
  #cryptsetup luksAddKey /dev/sda2 /boot/key_luks

Edit: Also rebuilt the initramfs and checked the changes were reflected in the initramfs. However It is still asking for password!

edit retag flag offensive close merge delete

Comments

What's the point? If your encrypted partitions automatically mount, then the encryption isn't providing any security.

randomuser gravatar imagerandomuser ( 2015-07-08 23:32:02 -0600 )edit

To auto mount LUKS encrypted partition I suppose you need to add the entry(mount device and mount point) in /etc/crypttab file.

krishnayeddula gravatar imagekrishnayeddula ( 2015-07-09 03:41:20 -0600 )edit

Thanks for the reply. @randomuser : True. The next plan is putting it(the kery file) in a USB and if the USB is mounted then only it will work. However atleast it should work as per "man 5 crypttab"

 The third field specifies the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as a absolute path to a file containing the encryption password.

@krishnayeddula : I have already edited /etc/crypttab and made sure changes were populated in initramfs

shatadru gravatar imageshatadru ( 2015-07-09 07:38:52 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-07-10 04:54:50 -0600

shadowhh32 gravatar image

Be careful doing that or changing /etc/fstab. Everytime I try with fc21 to do that for encrypted swap I wind up with an unbootable dracut UUID error.The bug has already been filed.No, we dont use encrypted swap by default and we should. Ive noticed this also with encrypted swap using a urandom key generated at boot. You still get asked for the mount password, even though you have no clue what it is. This is a BUG, you shouldnt get asked for the password when its already set. The whole point is to use a randomly generated key in the first place.The less you know and the stronger your mount password is , the safer you data are.I personally think we should all move to HW tokens. Passwords are so 1960.

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-07-08 17:40:17 -0600

Seen: 3,421 times

Last updated: Jul 10 '15