Let’s assume you have a device that boots from an encrypted SSD and also has a encrypted spinning disk for storage. Further let’s assume that you unlock the system disk and the spinning disk with a dedicated password each boot.
At least that’s my current situation. I have grown tired of entering two 20+ chars password each time my notebook boots so I have decided to unlock the spinning disk using a static key from the encrypted system disk. That’s certainly not the holy grail of IT security but anyway. Security and ease of use must go hand in hand in my opinion.
Also note: Do the following steps on your own risk.
Let’s go: Save the password as the static key (NOTE: do not do this if you encrypt a NEW disk or partition. Instead, generate a much more secure (ie. longer) static key as described in the Arch wiki — the following mini how-to is just for easy “retrofitting” existing encrypted disks with static key unlocking).
“`shell
sudo touch /etc/luks_static_key
sudo chown root:root /etc/luks_static_key
sudo chmod 0400 /etc/luks_static_key
sudo $EDITOR /etc/luks_static_key # enter the password and save
“`
Change the encrypted disk’s entry in `/etc/crypttab` like so (your line might vary a bit) from
“`
name_of_dmcrypt_device UUID=the_uuid none luks
“`
to
“`
name_of_dmcrypt_device UUID=the_uuid /etc/luks_static_key
“`
For the last step you will need to give the name of the encrypted partition. Find out what the name is using `lsblk`. The output might look like this:
“`
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931,5G 0 disk
|–sda1 8:1 0 931,5G 0 part
|–crypt_dev 254:4 0 931,5G 0 crypt /mnt/crypt_dev
“`
The encrypted partition in this case is `/dev/sda1`. Now use `cryptsetup` to make the static key file known:
“`shell
cryptsetup luksAddKey /dev/sda1 /etc/luks_static_key # enter the password of the device
“`
Boom. During the next boot sequence you should only be asked for the system disk password. The spinning disk will be unlocked using the static key file from the system disk.
Did this mini how-to help you in any way or do you have suggestions? Leave a comment.
Leave a Reply
You must be logged in to post a comment.