A custom script to unlock an encrypted LUKS volume using a usb key or mmc storage device. If the key is missing or the decryption process fails, the script will prompt for the password to type manually.
A Linux distribution with an initramfs system. If you use a complete systemd init you might want to use a PasswordAgent to achieve the same goal (no idea how to employ this here).
In contrast to previous versions, an install script decryptkeydevice_install.sh was added which automates the manual procedure of setting up the cryptdevice. If it is not supplied to the install script its name is derived from /etc/crypttab and cryptsetup status.
sh decryptkeydevice_install.sh /dev/disk/by-id/usb-Generic_Flash_Disk_* [cryptdevice]The install script
- Adjusts the
/etc/crypttabaccordingly - Creates a
decryptkeydevice.hookin/etc/initramfs-tools/hooks - Copies the key script and the config file to
/etc/decryptkeydevice/whereupdate-initramfspicks it up on each run for including it in the initrd image. - Writes random data on the given USB storage device in the unused space between partition table and data partitions (which are aligned typically and thus leaving approx. 1.5 MB unoccupied).
- Adds a key based on this random data to the cryptdevice by calling
cryptsetup luksAddKey ....
CC-BY-NC-SA 4.0 en
Due to the License of the original source. May not be nothworthy, because the level of creativity is not high enough or the original authors provided a different license.