diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:20 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:31:20 +0000 |
commit | 82ff52e0800702dee9402f8efe13dbc02e5883d2 (patch) | |
tree | 2f1704ba1a30bffc1f66bf5fb51c48431c24f6fa /debian/README.gnupg | |
parent | Adding upstream version 2:2.1.0. (diff) | |
download | cryptsetup-82ff52e0800702dee9402f8efe13dbc02e5883d2.tar.xz cryptsetup-82ff52e0800702dee9402f8efe13dbc02e5883d2.zip |
Adding debian version 2:2.1.0-5+deb10u2.debian/2%2.1.0-5+deb10u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/README.gnupg')
-rw-r--r-- | debian/README.gnupg | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/debian/README.gnupg b/debian/README.gnupg new file mode 100644 index 0000000..837d151 --- /dev/null +++ b/debian/README.gnupg @@ -0,0 +1,42 @@ +Using GnuPG keys for LUKS dm-crypt devices in Debian +==================================================== + +The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for +setups with a GnuPG encrypted LUKS keyfile. + +The following example assumes that you store the encrypted keyfile in +`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`. + +First, you'll have to create the encrypted keyfile: + + dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ + --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ + --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg + +Next the LUKS device needs to be formated with the key. For that, the +`decrypt_gnupg` keyscript can be used: + + /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \ + cryptsetup --key-file=- luksFormat /dev/<luks_device> + +In order to unlock the encrypted LUKS device automatically during boot process, +add the following to `/etc/crypttab`: + + cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg + + +Decrypting the keyfile at initramfs stage +----------------------------------------- + +If the device is to be unlocked at initramfs stage (such as for the root FS or +the resume device), the provided initramfs hooks should do all additionally +required work for you when the initramfs is created or updated. + +Be warned though, that for such devices the GnuPG encrypted key is copied to +the initramfs by the initramfs cryptgnupg hook. If you don't want this, you +should take a look at the initramfs cryptgnupg hook, which is located at +`/usr/share/initramfs-tools/hooks/cryptgnupg`. + + -- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100 + + -- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200 |