18.04 cryptsetup luks automount root during boot with USB as key












0
















Iam trying to unlock/automount the root on my ubuntu 18.04 luks
cryptsetup installation with a USB drive during boot.




With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



#!/bin/bash



# https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.



#REPRODUCE START

# 1. install 18.04 with luks lvm default , set user to autologin

# 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3

# 3. after the new os is booted plugin the drive with this script so it ends up at sdb1

# 4. plugin the usb to be used as decrypt key so it ends up on sdc

# 5. run "sudo su" to enter root && run this script

#REPRODUCE END





# Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile

CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root

MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc

UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile



READADDKEY () { # previously filled with dev random

dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8

cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1

shred --remove --zero /root/luks-secret.key

} # CREATE KEY END





CREATERULESFILE () {

GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/    //g" )

#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules

#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules

echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules



udevadm control --reload-rules # 4) Reload udev rules with:

# 5 ) Test that /dev/usbkey is created when the usb stick is inserted.

} # CREATE UDEV RULE END





CREATEUNLOCKFILE () {

touch $UNLOCKUSB1



cat << 'EOF' > $UNLOCKUSB1

#!/bin/sh

TRUE=0

FALSE=1

OPENED=$FALSE # flag tracking key-file availability



cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded

USBLOAD=0$?

if [ $USBLOAD -gt 0 ]; then

modprobe usb_storage >/dev/null 2>&1

fi



sleep 20 # give the system time to settle and open the USB device



if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules

dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)

OPENED=$TRUE

fi



# something isnt working here, if usb fails there is no pass prompt

if [ $OPENED -ne $TRUE ]; then

echo 'FAILED to get USB key file ...'

#if [ -x /bin/plymouth ] && plymouth --ping; then

#plymouth ask-for-password --prompt "Enter passphrase"

#else

/lib/cryptsetup/askpass "Enter passphrase"

#fi

else

echo "Success loading key file. Moving on." 

fi



sleep 1

exit 0



EOF



chmod a+x $UNLOCKUSB1

}





CREATECRYPTTAVFILE () {

echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab

}





CREATECRYPTOROOTFILE () {

echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot

}





ADDINITRAMFS_MODULES () {

if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then

echo "usb_storage" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then

echo "sha256" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then

echo "aes-x86_64" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then

echo "aes_generic" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then

echo "crypto_api" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then

echo "dm-crypt" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then

echo "scsi_dh" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then

echo "usbcore" >> /etc/initramfs-tools/modules

fi

if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then

echo "usbhid" >> /etc/initramfs-tools/modules

fi

}





CRATEUDEVUSBKEYHOOK () {

touch /etc/initramfs-tools/hooks/udevusbkey

cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey

#!/bin/sh

# udev-usbkey script



PREREQ="udev"

prereqs()

{

echo "$PREREQ"

}





case $1 in

prereqs)

prereqs

exit 0

;;

esac



. /usr/share/initramfs-tools/hook-functions



cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules



exit 0



EOF



chmod a+x /etc/initramfs-tools/hooks/udevusbkey

}





SETUPGRUB () {

#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub

#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub

sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub

#sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub

update-grub

}





UPDATEINIRAMFS () {

update-initramfs -u -k all

}





CHECKFILES() {

ls -la $UNLOCKUSB1

ls -la /etc/initramfs-tools/hooks/udevusbkey

ls -la /etc/udev/rules.d/99-unlock-luks.rules

ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"

ls -la /etc/initramfs-tools/conf.d/cryptroot

cat /etc/crypttab

cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=

cat /etc/initramfs-tools/modules

cryptsetup luksDump /dev/sda3

}





READADDKEY

CREATERULESFILE

CREATEUNLOCKFILE

CREATECRYPTTAVFILE

CREATECRYPTOROOTFILE

ADDINITRAMFS_MODULES

CRATEUDEVUSBKEYHOOK

SETUPGRUB

UPDATEINIRAMFS

CHECKFILES


after reboot, this is what grub prints






grub2 18.04 lvm luks cryptsetup







share|improve this question





























    0
















    Iam trying to unlock/automount the root on my ubuntu 18.04 luks
    cryptsetup installation with a USB drive during boot.




    With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



    Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



    There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



    #!/bin/bash
    

    
# https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.
    

    
#REPRODUCE START
    
# 1. install 18.04 with luks lvm default , set user to autologin
    
# 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
    
# 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
    
# 4. plugin the usb to be used as decrypt key so it ends up on sdc
    
# 5. run "sudo su" to enter root && run this script
    
#REPRODUCE END
    

    

    
# Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
    
CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
    
MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
    
UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile
    

    
READADDKEY () { # previously filled with dev random
    
dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
    
cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
    
shred --remove --zero /root/luks-secret.key
    
} # CREATE KEY END
    

    

    
CREATERULESFILE () {
    
GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/    //g" )
    
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
    
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
    
echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
    

    
udevadm control --reload-rules # 4) Reload udev rules with:
    
# 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
    
} # CREATE UDEV RULE END
    

    

    
CREATEUNLOCKFILE () {
    
touch $UNLOCKUSB1
    

    
cat << 'EOF' > $UNLOCKUSB1
    
#!/bin/sh
    
TRUE=0
    
FALSE=1
    
OPENED=$FALSE # flag tracking key-file availability
    

    
cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
    
USBLOAD=0$?
    
if [ $USBLOAD -gt 0 ]; then
    
modprobe usb_storage >/dev/null 2>&1
    
fi
    

    
sleep 20 # give the system time to settle and open the USB device
    

    
if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
    
dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
    
OPENED=$TRUE
    
fi
    

    
# something isnt working here, if usb fails there is no pass prompt
    
if [ $OPENED -ne $TRUE ]; then
    
echo 'FAILED to get USB key file ...'
    
#if [ -x /bin/plymouth ] && plymouth --ping; then
    
#plymouth ask-for-password --prompt "Enter passphrase"
    
#else
    
/lib/cryptsetup/askpass "Enter passphrase"
    
#fi
    
else
    
echo "Success loading key file. Moving on." 
    
fi
    

    
sleep 1
    
exit 0
    

    
EOF
    

    
chmod a+x $UNLOCKUSB1
    
}
    

    

    
CREATECRYPTTAVFILE () {
    
echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
    
}
    

    

    
CREATECRYPTOROOTFILE () {
    
echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
    
}
    

    

    
ADDINITRAMFS_MODULES () {
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
    
echo "usb_storage" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
    
echo "sha256" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
    
echo "aes-x86_64" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
    
echo "aes_generic" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
    
echo "crypto_api" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
    
echo "dm-crypt" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
    
echo "scsi_dh" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
    
echo "usbcore" >> /etc/initramfs-tools/modules
    
fi
    
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
    
echo "usbhid" >> /etc/initramfs-tools/modules
    
fi
    
}
    

    

    
CRATEUDEVUSBKEYHOOK () {
    
touch /etc/initramfs-tools/hooks/udevusbkey
    
cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
    
#!/bin/sh
    
# udev-usbkey script
    

    
PREREQ="udev"
    
prereqs()
    
{
    
echo "$PREREQ"
    
}
    

    

    
case $1 in
    
prereqs)
    
prereqs
    
exit 0
    
;;
    
esac
    

    
. /usr/share/initramfs-tools/hook-functions
    

    
cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules
    

    
exit 0
    

    
EOF
    

    
chmod a+x /etc/initramfs-tools/hooks/udevusbkey
    
}
    

    

    
SETUPGRUB () {
    
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    
sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
    
#sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
    
update-grub
    
}
    

    

    
UPDATEINIRAMFS () {
    
update-initramfs -u -k all
    
}
    

    

    
CHECKFILES() {
    
ls -la $UNLOCKUSB1
    
ls -la /etc/initramfs-tools/hooks/udevusbkey
    
ls -la /etc/udev/rules.d/99-unlock-luks.rules
    
ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
    
ls -la /etc/initramfs-tools/conf.d/cryptroot
    
cat /etc/crypttab
    
cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
    
cat /etc/initramfs-tools/modules
    
cryptsetup luksDump /dev/sda3
    
}
    

    

    
READADDKEY
    
CREATERULESFILE
    
CREATEUNLOCKFILE
    
CREATECRYPTTAVFILE
    
CREATECRYPTOROOTFILE
    
ADDINITRAMFS_MODULES
    
CRATEUDEVUSBKEYHOOK
    
SETUPGRUB
    
UPDATEINIRAMFS
    
CHECKFILES


    after reboot, this is what grub prints






    grub2 18.04 lvm luks cryptsetup







    share|improve this question



























      0












      0








      0









      Iam trying to unlock/automount the root on my ubuntu 18.04 luks
      cryptsetup installation with a USB drive during boot.




      With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



      Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



      There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



      #!/bin/bash
      

      
# https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.
      

      
#REPRODUCE START
      
# 1. install 18.04 with luks lvm default , set user to autologin
      
# 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
      
# 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
      
# 4. plugin the usb to be used as decrypt key so it ends up on sdc
      
# 5. run "sudo su" to enter root && run this script
      
#REPRODUCE END
      

      

      
# Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
      
CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
      
MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
      
UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile
      

      
READADDKEY () { # previously filled with dev random
      
dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
      
cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
      
shred --remove --zero /root/luks-secret.key
      
} # CREATE KEY END
      

      

      
CREATERULESFILE () {
      
GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/    //g" )
      
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      
echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      

      
udevadm control --reload-rules # 4) Reload udev rules with:
      
# 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
      
} # CREATE UDEV RULE END
      

      

      
CREATEUNLOCKFILE () {
      
touch $UNLOCKUSB1
      

      
cat << 'EOF' > $UNLOCKUSB1
      
#!/bin/sh
      
TRUE=0
      
FALSE=1
      
OPENED=$FALSE # flag tracking key-file availability
      

      
cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
      
USBLOAD=0$?
      
if [ $USBLOAD -gt 0 ]; then
      
modprobe usb_storage >/dev/null 2>&1
      
fi
      

      
sleep 20 # give the system time to settle and open the USB device
      

      
if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
      
dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
      
OPENED=$TRUE
      
fi
      

      
# something isnt working here, if usb fails there is no pass prompt
      
if [ $OPENED -ne $TRUE ]; then
      
echo 'FAILED to get USB key file ...'
      
#if [ -x /bin/plymouth ] && plymouth --ping; then
      
#plymouth ask-for-password --prompt "Enter passphrase"
      
#else
      
/lib/cryptsetup/askpass "Enter passphrase"
      
#fi
      
else
      
echo "Success loading key file. Moving on." 
      
fi
      

      
sleep 1
      
exit 0
      

      
EOF
      

      
chmod a+x $UNLOCKUSB1
      
}
      

      

      
CREATECRYPTTAVFILE () {
      
echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
      
}
      

      

      
CREATECRYPTOROOTFILE () {
      
echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
      
}
      

      

      
ADDINITRAMFS_MODULES () {
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
      
echo "usb_storage" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
      
echo "sha256" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
      
echo "aes-x86_64" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
      
echo "aes_generic" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
      
echo "crypto_api" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
      
echo "dm-crypt" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
      
echo "scsi_dh" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
      
echo "usbcore" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
      
echo "usbhid" >> /etc/initramfs-tools/modules
      
fi
      
}
      

      

      
CRATEUDEVUSBKEYHOOK () {
      
touch /etc/initramfs-tools/hooks/udevusbkey
      
cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
      
#!/bin/sh
      
# udev-usbkey script
      

      
PREREQ="udev"
      
prereqs()
      
{
      
echo "$PREREQ"
      
}
      

      

      
case $1 in
      
prereqs)
      
prereqs
      
exit 0
      
;;
      
esac
      

      
. /usr/share/initramfs-tools/hook-functions
      

      
cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules
      

      
exit 0
      

      
EOF
      

      
chmod a+x /etc/initramfs-tools/hooks/udevusbkey
      
}
      

      

      
SETUPGRUB () {
      
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
#sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
      
update-grub
      
}
      

      

      
UPDATEINIRAMFS () {
      
update-initramfs -u -k all
      
}
      

      

      
CHECKFILES() {
      
ls -la $UNLOCKUSB1
      
ls -la /etc/initramfs-tools/hooks/udevusbkey
      
ls -la /etc/udev/rules.d/99-unlock-luks.rules
      
ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
      
ls -la /etc/initramfs-tools/conf.d/cryptroot
      
cat /etc/crypttab
      
cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
      
cat /etc/initramfs-tools/modules
      
cryptsetup luksDump /dev/sda3
      
}
      

      

      
READADDKEY
      
CREATERULESFILE
      
CREATEUNLOCKFILE
      
CREATECRYPTTAVFILE
      
CREATECRYPTOROOTFILE
      
ADDINITRAMFS_MODULES
      
CRATEUDEVUSBKEYHOOK
      
SETUPGRUB
      
UPDATEINIRAMFS
      
CHECKFILES


      after reboot, this is what grub prints






      grub2 18.04 lvm luks cryptsetup







      share|improve this question

















      Iam trying to unlock/automount the root on my ubuntu 18.04 luks
      cryptsetup installation with a USB drive during boot.




      With the script attached or a similar version it was already working a few weeks ago (cant recall as my drive had a hardware failure, so working off a backup which maybe has some substantial flaw as it was work in progress at time of the backup).



      Maybe somebody here can help me to fix it, i have tried so many variations now and got stuck.



      There aren't any up to date documentations i can find on the web, hope what i got here is close enough ....



      #!/bin/bash
      

      
# https://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile # some lines taken from this link, its a bit dated tough.
      

      
#REPRODUCE START
      
# 1. install 18.04 with luks lvm default , set user to autologin
      
# 2. reboot after finished install, dont plugin any drives or main cryptoroot may end up on another part than sda3
      
# 3. after the new os is booted plugin the drive with this script so it ends up at sdb1
      
# 4. plugin the usb to be used as decrypt key so it ends up on sdc
      
# 5. run "sudo su" to enter root && run this script
      
#REPRODUCE END
      

      

      
# Ubuntu with Grub2 + LUKS encrypted LVM root + hidden USB keyfile
      
CRYPT_USB=sdc # change this for entire doc, cant use variables for the entire doc # usb drive to be used to decrypt the root
      
MAIN_PART=sda3 # default 18.04 cryptsetup root # change this for entire doc, cant use variables for the entire doc
      
UNLOCKUSB1=/lib/cryptsetup/scripts/unlkusb.sh # unlockfile
      

      
READADDKEY () { # previously filled with dev random
      
dd if=/dev/$CRYPT_USB of=/root/luks-secret.key bs=512 skip=4 count=8
      
cryptsetup luksAddKey /dev/$MAIN_PART /root/luks-secret.key --key-slot 1
      
shred --remove --zero /root/luks-secret.key
      
} # CREATE KEY END
      

      

      
CREATERULESFILE () {
      
GREP_SERIAL_CRYPT_USB=$(udevadm info -a -p `udevadm info -q path -n /dev/sdc` | grep ATTRS{serial} | head -n 1 | sed -e "s/    //g" )
      
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      
#echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      
echo 'SUBSYSTEMS=="usb", ATTRS{serial}=="000A000A000x", KERNEL=="sd*", DRIVERS=="usb", SYMLINK+="usbkey%n"' | sed -e 's/ATTRS{serial}=="//g' | sed -e 's/x"//g' | sed -e "s/000A000A000/$GREP_SERIAL_CRYPT_USB/g"  > /etc/udev/rules.d/99-unlock-luks.rules
      

      
udevadm control --reload-rules # 4) Reload udev rules with:
      
# 5 ) Test that /dev/usbkey is created when the usb stick is inserted.
      
} # CREATE UDEV RULE END
      

      

      
CREATEUNLOCKFILE () {
      
touch $UNLOCKUSB1
      

      
cat << 'EOF' > $UNLOCKUSB1
      
#!/bin/sh
      
TRUE=0
      
FALSE=1
      
OPENED=$FALSE # flag tracking key-file availability
      

      
cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1 # check and modprobe the USB driver if not already loaded
      
USBLOAD=0$?
      
if [ $USBLOAD -gt 0 ]; then
      
modprobe usb_storage >/dev/null 2>&1
      
fi
      

      
sleep 20 # give the system time to settle and open the USB device
      

      
if [ -b /dev/usbkey ]; then # check for the specifc /dev/usbkey device created by udev using /etc/udev/rules.d/99-unlock-luks.rules
      
dd if=/dev/usbkey bs=512 skip=4 count=8 | cat # if device exists then output the keyfile from the usb key (hidden key is 4096 bytes long starting at 2048 bytes)
      
OPENED=$TRUE
      
fi
      

      
# something isnt working here, if usb fails there is no pass prompt
      
if [ $OPENED -ne $TRUE ]; then
      
echo 'FAILED to get USB key file ...'
      
#if [ -x /bin/plymouth ] && plymouth --ping; then
      
#plymouth ask-for-password --prompt "Enter passphrase"
      
#else
      
/lib/cryptsetup/askpass "Enter passphrase"
      
#fi
      
else
      
echo "Success loading key file. Moving on." 
      
fi
      

      
sleep 1
      
exit 0
      

      
EOF
      

      
chmod a+x $UNLOCKUSB1
      
}
      

      

      
CREATECRYPTTAVFILE () {
      
echo "sda3_crypt /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART) none luks,keyscript=$UNLOCKUSB1" > /etc/crypttab
      
}
      

      

      
CREATECRYPTOROOTFILE () {
      
echo "CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART)" > /etc/initramfs-tools/conf.d/cryptroot
      
}
      

      

      
ADDINITRAMFS_MODULES () {
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usb_storage") -eq 0 ]; then
      
echo "usb_storage" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "sha256") -eq 0 ]; then
      
echo "sha256" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes-x86_64") -eq 0 ]; then
      
echo "aes-x86_64" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "aes_generic") -eq 0 ]; then
      
echo "aes_generic" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "crypto_api") -eq 0 ]; then
      
echo "crypto_api" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "dm-crypt") -eq 0 ]; then
      
echo "dm-crypt" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "scsi_dh") -eq 0 ]; then
      
echo "scsi_dh" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbcore") -eq 0 ]; then
      
echo "usbcore" >> /etc/initramfs-tools/modules
      
fi
      
if [ $(cat /etc/initramfs-tools/modules | grep -c "usbhid") -eq 0 ]; then
      
echo "usbhid" >> /etc/initramfs-tools/modules
      
fi
      
}
      

      

      
CRATEUDEVUSBKEYHOOK () {
      
touch /etc/initramfs-tools/hooks/udevusbkey
      
cat << 'EOF' > /etc/initramfs-tools/hooks/udevusbkey
      
#!/bin/sh
      
# udev-usbkey script
      

      
PREREQ="udev"
      
prereqs()
      
{
      
echo "$PREREQ"
      
}
      

      

      
case $1 in
      
prereqs)
      
prereqs
      
exit 0
      
;;
      
esac
      

      
. /usr/share/initramfs-tools/hook-functions
      

      
cp /etc/udev/rules.d/99-unlock-luks.rules ${DESTDIR}/lib/udev/rules.d/ # Copy across relevant rules
      

      
exit 0
      

      
EOF
      

      
chmod a+x /etc/initramfs-tools/hooks/udevusbkey
      
}
      

      

      
SETUPGRUB () {
      
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu-vg,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
#sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=/dev/mapper/xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
sed -ie "s#quiet splash#cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=xubuntu--vg-root,keyscript=$UNLOCKUSB1#g" /etc/default/grub
      
#sed -ie "s#quiet splash#ipv6.disable=1 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/$(blkid -o value -s UUID /dev/$MAIN_PART),lvm=vg-your-root,keyscript=/lib/cryptsetup/scripts#g" /etc/default/grub
      
update-grub
      
}
      

      

      
UPDATEINIRAMFS () {
      
update-initramfs -u -k all
      
}
      

      

      
CHECKFILES() {
      
ls -la $UNLOCKUSB1
      
ls -la /etc/initramfs-tools/hooks/udevusbkey
      
ls -la /etc/udev/rules.d/99-unlock-luks.rules
      
ls -la /dev/usbkey && echo "if this fails, the usb maybe has to be replugged"
      
ls -la /etc/initramfs-tools/conf.d/cryptroot
      
cat /etc/crypttab
      
cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT=
      
cat /etc/initramfs-tools/modules
      
cryptsetup luksDump /dev/sda3
      
}
      

      

      
READADDKEY
      
CREATERULESFILE
      
CREATEUNLOCKFILE
      
CREATECRYPTTAVFILE
      
CREATECRYPTOROOTFILE
      
ADDINITRAMFS_MODULES
      
CRATEUDEVUSBKEYHOOK
      
SETUPGRUB
      
UPDATEINIRAMFS
      
CHECKFILES


      after reboot, this is what grub prints






      grub2 18.04 lvm luks cryptsetup




      grub2 18.04 lvm luks cryptsetup






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 12 at 0:14









      Community

      1




      1










      asked Jan 11 at 7:36









      AurigaeAurigae

      1013




      1013






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1108777%2f18-04-cryptsetup-luks-automount-root-during-boot-with-usb-as-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1108777%2f18-04-cryptsetup-luks-automount-root-during-boot-with-usb-as-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          How to change which sound is reproduced for terminal bell?

          Image
          3 Recently upgrade to 18.10 from 18.04, and using the terminal is becoming annoying: the new alert sound is a drip ( /usr/share/sounds/gnome/default/alerts/drip.ogg ), and the previous one is still located at ( /usr/share/sounds/ubuntu/stereo/bell.ogg ). My issue is that at the gnome-terminal, when autocompleting or pressing left BOTH sounds are reproduced, at the same time. I want to just have ubuntu/stereo/bell.ogg active, not both . At the moment I have been only able to reduce the volume of the alerts (but still both are played), or turn the alerts down (but I dislike both "solutions"). gnome-terminal 18.10 teminal-bell share | improve this question
          Read more

          Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

          Image
          up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx
          Read more

          Can I use Tabulator js library in my java Spring + Thymeleaf project?

          Image
          0 I want to add Tabulator js to my java project. I added tabulator.min.js, tabulator.min.css to resources folder. After that added to my html page these dependencies as recommending in readme.md. <link rel="stylesheet" th:href="@{/css/tabulator.min.css}"> <script type="text/javascript" th:src="@{/js/tabulator.min.js}"></script> Now my tables view all elements, that I have in the html page, but not correct. In the documentation of Tabulator is example how to create header and table, var table = new Tabulator("#example-table", { columns:[ {title:"Name", field:"name", sorter:"string", width:200, editor:true}, {title:"Age", field:"age", sorter:"
          Read more