18.04 cryptsetup luks automount root during boot with USB as key












0
















Iam trying to unlock/automount the root on my ubuntu 18.04 luks
cryptsetup installation with a USB drive during boot.




With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



#!/bin/bash

# https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.

#REPRODUCE START
# 1. install 18.04 with luks lvm default , set user to autologin
# 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
# 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
# 4. plugin the usb to be used as decrypt key so it ends up on sdc
# 5. run "sudo su" to enter root && run this script
#REPRODUCE END


# Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile

READADDKEY () { # previously filled with dev random
dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
shred --remove --zero /root/luks-secret.key
} # CREATE KEY END


CREATERULESFILE () {
GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/ //g" )
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules

udevadm control --reload-rules # 4) Reload udev rules with:
# 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
} # CREATE UDEV RULE END


CREATEUNLOCKFILE () {
touch $UNLOCKUSB1

cat << 'EOF' > $UNLOCKUSB1
#!/bin/sh
TRUE=0
FALSE=1
OPENED=$FALSE # flag tracking key-file availability

cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
USBLOAD=0$?
if [ $USBLOAD -gt 0 ]; then
modprobe usb_storage >/dev/null 2>&1
fi

sleep 20 # give the system time to settle and open the USB device

if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
OPENED=$TRUE
fi

# something isnt working here, if usb fails there is no pass prompt
if [ $OPENED -ne $TRUE ]; then
echo 'FAILED to get USB key file ...'
#if [ -x /bin/plymouth ] && plymouth --ping; then
#plymouth ask-for-password --prompt "Enter passphrase"
#else
/lib/cryptsetup/askpass "Enter passphrase"
#fi
else
echo "Success loading key file. Moving on."
fi

sleep 1
exit 0

EOF

chmod a+x $UNLOCKUSB1
}


CREATECRYPTTAVFILE () {
echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
}


CREATECRYPTOROOTFILE () {
echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
}


ADDINITRAMFS_MODULES () {
if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
echo "usb_storage" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
echo "sha256" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
echo "aes-x86_64" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
echo "aes_generic" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
echo "crypto_api" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
echo "dm-crypt" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
echo "scsi_dh" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
echo "usbcore" >> /etc/initramfs-tools/modules
fi
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
echo "usbhid" >> /etc/initramfs-tools/modules
fi
}


CRATEUDEVUSBKEYHOOK () {
touch /etc/initramfs-tools/hooks/udevusbkey
cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
#!/bin/sh
# udev-usbkey script

PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}


case $1 in
prereqs)
prereqs
exit 0
;;
esac

. /usr/share/initramfs-tools/hook-functions

cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules

exit 0

EOF

chmod a+x /etc/initramfs-tools/hooks/udevusbkey
}


SETUPGRUB () {
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
#sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
update-grub
}


UPDATEINIRAMFS () {
update-initramfs -u -k all
}


CHECKFILES() {
ls -la $UNLOCKUSB1
ls -la /etc/initramfs-tools/hooks/udevusbkey
ls -la /etc/udev/rules.d/99-unlock-luks.rules
ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
ls -la /etc/initramfs-tools/conf.d/cryptroot
cat /etc/crypttab
cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
cat /etc/initramfs-tools/modules
cryptsetup luksDump /dev/sda3
}


READADDKEY
CREATERULESFILE
CREATEUNLOCKFILE
CREATECRYPTTAVFILE
CREATECRYPTOROOTFILE
ADDINITRAMFS_MODULES
CRATEUDEVUSBKEYHOOK
SETUPGRUB
UPDATEINIRAMFS
CHECKFILES


after reboot, this is what grub prints










share|improve this question





























    0
















    Iam trying to unlock/automount the root on my ubuntu 18.04 luks
    cryptsetup installation with a USB drive during boot.




    With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



    Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



    There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



    #!/bin/bash

    # https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.

    #REPRODUCE START
    # 1. install 18.04 with luks lvm default , set user to autologin
    # 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
    # 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
    # 4. plugin the usb to be used as decrypt key so it ends up on sdc
    # 5. run "sudo su" to enter root && run this script
    #REPRODUCE END


    # Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
    CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
    MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
    UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile

    READADDKEY () { # previously filled with dev random
    dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
    cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
    shred --remove --zero /root/luks-secret.key
    } # CREATE KEY END


    CREATERULESFILE () {
    GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/ //g" )
    #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
    #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
    echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules

    udevadm control --reload-rules # 4) Reload udev rules with:
    # 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
    } # CREATE UDEV RULE END


    CREATEUNLOCKFILE () {
    touch $UNLOCKUSB1

    cat << 'EOF' > $UNLOCKUSB1
    #!/bin/sh
    TRUE=0
    FALSE=1
    OPENED=$FALSE # flag tracking key-file availability

    cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
    USBLOAD=0$?
    if [ $USBLOAD -gt 0 ]; then
    modprobe usb_storage >/dev/null 2>&1
    fi

    sleep 20 # give the system time to settle and open the USB device

    if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
    dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
    OPENED=$TRUE
    fi

    # something isnt working here, if usb fails there is no pass prompt
    if [ $OPENED -ne $TRUE ]; then
    echo 'FAILED to get USB key file ...'
    #if [ -x /bin/plymouth ] && plymouth --ping; then
    #plymouth ask-for-password --prompt "Enter passphrase"
    #else
    /lib/cryptsetup/askpass "Enter passphrase"
    #fi
    else
    echo "Success loading key file. Moving on."
    fi

    sleep 1
    exit 0

    EOF

    chmod a+x $UNLOCKUSB1
    }


    CREATECRYPTTAVFILE () {
    echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
    }


    CREATECRYPTOROOTFILE () {
    echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
    }


    ADDINITRAMFS_MODULES () {
    if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
    echo "usb_storage" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
    echo "sha256" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
    echo "aes-x86_64" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
    echo "aes_generic" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
    echo "crypto_api" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
    echo "dm-crypt" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
    echo "scsi_dh" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
    echo "usbcore" >> /etc/initramfs-tools/modules
    fi
    if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
    echo "usbhid" >> /etc/initramfs-tools/modules
    fi
    }


    CRATEUDEVUSBKEYHOOK () {
    touch /etc/initramfs-tools/hooks/udevusbkey
    cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
    #!/bin/sh
    # udev-usbkey script

    PREREQ="udev"
    prereqs()
    {
    echo "$PREREQ"
    }


    case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
    esac

    . /usr/share/initramfs-tools/hook-functions

    cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules

    exit 0

    EOF

    chmod a+x /etc/initramfs-tools/hooks/udevusbkey
    }


    SETUPGRUB () {
    #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    #sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
    update-grub
    }


    UPDATEINIRAMFS () {
    update-initramfs -u -k all
    }


    CHECKFILES() {
    ls -la $UNLOCKUSB1
    ls -la /etc/initramfs-tools/hooks/udevusbkey
    ls -la /etc/udev/rules.d/99-unlock-luks.rules
    ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
    ls -la /etc/initramfs-tools/conf.d/cryptroot
    cat /etc/crypttab
    cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
    cat /etc/initramfs-tools/modules
    cryptsetup luksDump /dev/sda3
    }


    READADDKEY
    CREATERULESFILE
    CREATEUNLOCKFILE
    CREATECRYPTTAVFILE
    CREATECRYPTOROOTFILE
    ADDINITRAMFS_MODULES
    CRATEUDEVUSBKEYHOOK
    SETUPGRUB
    UPDATEINIRAMFS
    CHECKFILES


    after reboot, this is what grub prints










    share|improve this question



























      0












      0








      0









      Iam trying to unlock/automount the root on my ubuntu 18.04 luks
      cryptsetup installation with a USB drive during boot.




      With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



      Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



      There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



      #!/bin/bash

      # https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.

      #REPRODUCE START
      # 1. install 18.04 with luks lvm default , set user to autologin
      # 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
      # 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
      # 4. plugin the usb to be used as decrypt key so it ends up on sdc
      # 5. run "sudo su" to enter root && run this script
      #REPRODUCE END


      # Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
      CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
      MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
      UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile

      READADDKEY () { # previously filled with dev random
      dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
      cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
      shred --remove --zero /root/luks-secret.key
      } # CREATE KEY END


      CREATERULESFILE () {
      GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/ //g" )
      #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
      #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
      echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules

      udevadm control --reload-rules # 4) Reload udev rules with:
      # 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
      } # CREATE UDEV RULE END


      CREATEUNLOCKFILE () {
      touch $UNLOCKUSB1

      cat << 'EOF' > $UNLOCKUSB1
      #!/bin/sh
      TRUE=0
      FALSE=1
      OPENED=$FALSE # flag tracking key-file availability

      cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
      USBLOAD=0$?
      if [ $USBLOAD -gt 0 ]; then
      modprobe usb_storage >/dev/null 2>&1
      fi

      sleep 20 # give the system time to settle and open the USB device

      if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
      dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
      OPENED=$TRUE
      fi

      # something isnt working here, if usb fails there is no pass prompt
      if [ $OPENED -ne $TRUE ]; then
      echo 'FAILED to get USB key file ...'
      #if [ -x /bin/plymouth ] && plymouth --ping; then
      #plymouth ask-for-password --prompt "Enter passphrase"
      #else
      /lib/cryptsetup/askpass "Enter passphrase"
      #fi
      else
      echo "Success loading key file. Moving on."
      fi

      sleep 1
      exit 0

      EOF

      chmod a+x $UNLOCKUSB1
      }


      CREATECRYPTTAVFILE () {
      echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
      }


      CREATECRYPTOROOTFILE () {
      echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
      }


      ADDINITRAMFS_MODULES () {
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
      echo "usb_storage" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
      echo "sha256" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
      echo "aes-x86_64" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
      echo "aes_generic" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
      echo "crypto_api" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
      echo "dm-crypt" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
      echo "scsi_dh" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
      echo "usbcore" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
      echo "usbhid" >> /etc/initramfs-tools/modules
      fi
      }


      CRATEUDEVUSBKEYHOOK () {
      touch /etc/initramfs-tools/hooks/udevusbkey
      cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
      #!/bin/sh
      # udev-usbkey script

      PREREQ="udev"
      prereqs()
      {
      echo "$PREREQ"
      }


      case $1 in
      prereqs)
      prereqs
      exit 0
      ;;
      esac

      . /usr/share/initramfs-tools/hook-functions

      cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules

      exit 0

      EOF

      chmod a+x /etc/initramfs-tools/hooks/udevusbkey
      }


      SETUPGRUB () {
      #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      #sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
      update-grub
      }


      UPDATEINIRAMFS () {
      update-initramfs -u -k all
      }


      CHECKFILES() {
      ls -la $UNLOCKUSB1
      ls -la /etc/initramfs-tools/hooks/udevusbkey
      ls -la /etc/udev/rules.d/99-unlock-luks.rules
      ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
      ls -la /etc/initramfs-tools/conf.d/cryptroot
      cat /etc/crypttab
      cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
      cat /etc/initramfs-tools/modules
      cryptsetup luksDump /dev/sda3
      }


      READADDKEY
      CREATERULESFILE
      CREATEUNLOCKFILE
      CREATECRYPTTAVFILE
      CREATECRYPTOROOTFILE
      ADDINITRAMFS_MODULES
      CRATEUDEVUSBKEYHOOK
      SETUPGRUB
      UPDATEINIRAMFS
      CHECKFILES


      after reboot, this is what grub prints










      share|improve this question

















      Iam trying to unlock/automount the root on my ubuntu 18.04 luks
      cryptsetup installation with a USB drive during boot.




      With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



      Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



      There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



      #!/bin/bash

      # https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.

      #REPRODUCE START
      # 1. install 18.04 with luks lvm default , set user to autologin
      # 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
      # 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
      # 4. plugin the usb to be used as decrypt key so it ends up on sdc
      # 5. run "sudo su" to enter root && run this script
      #REPRODUCE END


      # Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
      CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
      MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
      UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile

      READADDKEY () { # previously filled with dev random
      dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
      cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
      shred --remove --zero /root/luks-secret.key
      } # CREATE KEY END


      CREATERULESFILE () {
      GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/ //g" )
      #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
      #echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules
      echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g" > /etc/udev/rules.d/99-unlock-luks.rules

      udevadm control --reload-rules # 4) Reload udev rules with:
      # 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
      } # CREATE UDEV RULE END


      CREATEUNLOCKFILE () {
      touch $UNLOCKUSB1

      cat << 'EOF' > $UNLOCKUSB1
      #!/bin/sh
      TRUE=0
      FALSE=1
      OPENED=$FALSE # flag tracking key-file availability

      cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
      USBLOAD=0$?
      if [ $USBLOAD -gt 0 ]; then
      modprobe usb_storage >/dev/null 2>&1
      fi

      sleep 20 # give the system time to settle and open the USB device

      if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
      dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
      OPENED=$TRUE
      fi

      # something isnt working here, if usb fails there is no pass prompt
      if [ $OPENED -ne $TRUE ]; then
      echo 'FAILED to get USB key file ...'
      #if [ -x /bin/plymouth ] && plymouth --ping; then
      #plymouth ask-for-password --prompt "Enter passphrase"
      #else
      /lib/cryptsetup/askpass "Enter passphrase"
      #fi
      else
      echo "Success loading key file. Moving on."
      fi

      sleep 1
      exit 0

      EOF

      chmod a+x $UNLOCKUSB1
      }


      CREATECRYPTTAVFILE () {
      echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
      }


      CREATECRYPTOROOTFILE () {
      echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
      }


      ADDINITRAMFS_MODULES () {
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
      echo "usb_storage" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
      echo "sha256" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
      echo "aes-x86_64" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
      echo "aes_generic" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
      echo "crypto_api" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
      echo "dm-crypt" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
      echo "scsi_dh" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
      echo "usbcore" >> /etc/initramfs-tools/modules
      fi
      if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
      echo "usbhid" >> /etc/initramfs-tools/modules
      fi
      }


      CRATEUDEVUSBKEYHOOK () {
      touch /etc/initramfs-tools/hooks/udevusbkey
      cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
      #!/bin/sh
      # udev-usbkey script

      PREREQ="udev"
      prereqs()
      {
      echo "$PREREQ"
      }


      case $1 in
      prereqs)
      prereqs
      exit 0
      ;;
      esac

      . /usr/share/initramfs-tools/hook-functions

      cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules

      exit 0

      EOF

      chmod a+x /etc/initramfs-tools/hooks/udevusbkey
      }


      SETUPGRUB () {
      #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      #sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      #sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
      update-grub
      }


      UPDATEINIRAMFS () {
      update-initramfs -u -k all
      }


      CHECKFILES() {
      ls -la $UNLOCKUSB1
      ls -la /etc/initramfs-tools/hooks/udevusbkey
      ls -la /etc/udev/rules.d/99-unlock-luks.rules
      ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
      ls -la /etc/initramfs-tools/conf.d/cryptroot
      cat /etc/crypttab
      cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
      cat /etc/initramfs-tools/modules
      cryptsetup luksDump /dev/sda3
      }


      READADDKEY
      CREATERULESFILE
      CREATEUNLOCKFILE
      CREATECRYPTTAVFILE
      CREATECRYPTOROOTFILE
      ADDINITRAMFS_MODULES
      CRATEUDEVUSBKEYHOOK
      SETUPGRUB
      UPDATEINIRAMFS
      CHECKFILES


      after reboot, this is what grub prints







      grub2 18.04 lvm luks cryptsetup






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 12 at 0:14









      Community

      1




      1










      asked Jan 11 at 7:36









      AurigaeAurigae

      1013




      1013






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1108777%2f18-04-cryptsetup-luks-automount-root-during-boot-with-usb-as-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1108777%2f18-04-cryptsetup-luks-automount-root-during-boot-with-usb-as-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to change which sound is reproduced for terminal bell?

          Can I use Tabulator js library in my java Spring + Thymeleaf project?

          Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents