I have Alpine Linux installed in an encrypted LUKS partition. I came across this tutorial which shows how to setup a key in a USB drive and when the drive is inserted and the computer booted, the LUKS partition auto-unlocks with the key on the USB drive.
I would like to setup the same thing but I do not have Alpine linux installed on ZFS, so I'm looking for ways to adapt the instructions.
So far, what I've done is:
I've setup the key on the usb stick and I can unlock the LUKS partition with that key.
create a /etc/mkinitfs/features.d/usb-unlock.sh script with the following content:
(the echo to /dev/kmesg was to check whether the script did indeed run at boot by trying to print to the kernel messages but I can't find anything in the kernel messages).
#!/bin/sh
echo "usb-unlock script starting..." > /dev/kmsg
USB_MOUNT="/mnt/my-usb-key" # The USB stick mounting point
LUKS_KEY_FILE="awesome.key" # The name of your keyfile on the USB stick
# Search for the USB stick with the key
for device in $(ls /dev/disk/by-uuid/*); do
mount $device $USB_MOUNT 2>/dev/null
if [ -f "$USB_MOUNT/$LUKS_KEY_FILE" ]; then
# Unlock the LUKS partition
cryptsetup luksOpen /dev/sda3 cryptroot \
--key-file "$USB_MOUNT/$LUKS_KEY_FILE" && exit 0
fi
umount $USB_MOUNT
done
echo "No USB key found, falling back to password prompt." # this message never appears, despite not having found the key on the usb stick
echo "usb-unlock script ending." > /dev/kmsg
I added usb-unlock to the features in mkinitfs.conf:
mytestalpine:~# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup keymap usb-unlock"
run mkinitfs to rebuild the initramfs. Then reboot to test the implementation, which was unsuccessful.
What am I missing / doing wrong?
Thank you for your help!
I think you may want to use
for device in /dev/disk/by-uuid/*
That doesn't explain why you aren't seeing messages.
I see there is a shebang at the start of the script. Can you confirm that the script has the executable bit set for the root user?