December 4, 2008

Using a USB key for the LUKS passphrase

Filed under: Paranoia, UNIX & Linux — Tags: , , — martin @ 10:43 pm

When I had installed my notebook with Ubuntu 8.04 “Horny Hard-on”, I had opted to put the /home filesystem onto an encrypted partition on /dev/sda4. However, after a few months, entering the passphrase after turning on the computer doesn’t seem to be that attractive anymore. I have therefore decided to try to store the passphrase on a spare USB key.

This is how I migrated my LUKS container to a passphrase stored on USB media.

First, I filled the USB key with random data:
# dd if=/dev/urandom of=/dev/sdc

Then, I siphoned off 256 bytes from the USB key, to be used as the passphrase:
# dd if=/dev/sdc of=/home/martin/foo.key bs=1 count=256

foo.key is required temporarily. You may keep a copy of it stored in a safe place, or you may leave the interactive password in place as a fall-back measure. Which is what I’m doing.

The new passphrase can be added to the LUKS container like this:
# cryptsetup luksAddKey /dev/sda4 /home/martin/foo.key

Cryptsetup asks for “any passphrase”. That is one of the numerous possible passphrases that may be assigned to a LUKS device at once. Such as the interactive passphrase that is already in place.

When the new passphrase has been added, foo.key can be deleted.

Next, I determined the USB id of my USB key:
# ls -l /dev/disk/by-id/ | grep sdc
lrwxrwxrwx 1 root root 9 2008-12-04 21:31 usb-LG_XTICK_AAAAAAAAAAAAAAAAA-0:0 -> ../../sdc

I found that I needed a little helper script that extracts 256 bytes from the USB key and pipes them to stdout:

# Script: /usr/local/sbin/dd-luks-key.sh
if [ -e $1 ]
dd if=$1 bs=1 count=256

And now the change to /etc/crypttab:

# Old entry; ask for password:
#sda4_crypt /dev/disk/by-uuid/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee none luks
# New entry; execute the keyscript with the USB id as the argument:
sda4_crypt /dev/disk/by-uuid/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee /dev/disk/by-id/usb-LG_XTICK_AAAAAAAAAAAAAAAAA-0\:0 luks,keyscript=/usr/local/sbin/dd-luks-key.sh

That’s it. I can now reboot with the USB key plugged in and observe how the system automatically mounts the LUKS container. The USB key is not partitioned, so Gnome will not automatically mount it. It can just be pulled anytime after bootup.

If I had chosen to delete the interactive passphrase, which is stored in key slot 0:
# cryptsetup luksDelKey /dev/sda4 0

Be advised that this is no real-deal tough-minded security, but something that will protect the machine only against the type of attackers (e.g. thieves) who are out for your hardware but not for your data. Don’t leave the USB key close to the laptop. Use this responsibly. Thanks!

I’m not conviced that I will stick with this, as it’s far below my usual standard of paranoia. Nevertheless, I have gained a few nice insights into the LUKS system.



  1. wtf.
    wo find ich noch mehr ubuntu-porno-namen?

    Comment by Chris — December 5, 2008 @ 8:59 pm

  2. I did the same one, but instead of a usb stick, i had a flash disk. The problem was only, that i was to lazy, to remove the disk, after shutting down the system (laptop). So … to let the key in in the very secure (house)door, is not very … secure 😉 So i switched back to the passphrase.

    Comment by Denny — December 7, 2008 @ 7:29 pm

  3. /dev/urandom is the one that’s not really all that random, right?

    Using /dev/random might be better, limiting it to just the 256 bytes you’ll actually use so it doesn’t take so long

    dd if=/dev/random of=/dev/sdc bs=1 count=256

    Comment by paranoidjohn — March 8, 2009 @ 2:09 am

  4. Denny, I agree that leaving the stick in the machine would be a problem. As the article says, the usb stick can be pulled anytime right after bootup. So let’s implement something that forces me to remove the stick. How about this idea: Modify the X session script so it waits for the stick to be removed before starting the window manager. Just something like this should work

    while [ -L /dev/disk/by-id/usb-LG_XTICK_AAAAAAAAAAAAAAAAA-0\:0 ]; do sleep 1; done

    Of course, after I pull out the stick I do still need to put it in my pocket or something, not on the desk beside the USB port 🙂

    Comment by paranoidjohn — March 8, 2009 @ 2:23 am

  5. Thanks! Just the thing i was looking for.

    A tip:
    I made a 8Mb empty partion (smalles i could make) in the beginning of my pendrive and filled with /dev/urandom data and using as key. I created a second partition after it. Now my usb-key works as a normal pendrive and it’s harder to spot that it is the key.

    Comment by Ztripez — April 2, 2009 @ 1:03 am

  6. Thanks it look a little less complicated now, Paul from France

    Comment by Paul Morrison — February 4, 2010 @ 2:22 am

  7. Very interesting!
    Inspired by this, I wrote a small script which reads FAT32 which can find a file by name on any fat32 device without mounting or writing to the device and dump the first 256 bytes of the named file to LUKS 😉
    This way, i can put different keys on multiple usb-keys and just have one of them in the port at boot time.

    Comment by Audun — June 22, 2011 @ 10:34 am

    • could you pls post your script here?

      Comment by none nogrp — March 1, 2012 @ 9:39 am

  8. i have a problem..
    i do the same thing as the document says. But the problem is when the pc booted my pen drive did not mount that time..
    so it hanged on the booting time…
    what can i do?

    Comment by zia — May 14, 2013 @ 7:24 am

  9. […] and pass that to cryptsetup to unlock the partition. Here's an example of a doc I found on google: https://binblog.info/2008/12/04/using…ks-passphrase/ Although this uses a custom keyscript I'd try to reuse existing scripts. Be careful though, if […]

    Pingback by Conversion to Key-Based Luks — May 15, 2013 @ 7:04 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: