Back in the good ‘ole days of floppy drives, I used to install
grub onto one. I would use it like a key to my computer and take it out if I did not want anyone using my computer when I was not around. Today, we use LUKS encryption to keep unwanted users out. Once
grub became too big to fit on floppy drives (and floppy drives became extinct) I still wanted the physical functionality of removing a part that prevents others from using my desktop/laptop. Sure, I could remove the hard drive every time I was done with the computer, but this would become tedious and I want something quick and easy.
I recently stumbled across mkinitramfs-ll which allowed passing in a LUKS keyfile in initrd. I attempted to use this for Fedora, but did not get very far. I then discovered
dracut (Fedora’s initrd maker) already includes support for passing in a LUKS keyfile as an argument. At this point, I raced to get one of my legacy 256mb flash drives and made a fully functional “key” to operate my laptop.
The main points to get it working were simple:
- Have a crypted root file system
- Generate a keyfile to use
- Format a flash drive with a label
- Add the keyfile to the crypted filesystem and flash drive
- Configure and run
- Configure and generate
Generate a keyfile to use:
Keyfiles can be anything. Some use a gpg key, but I found it as easy and beneficial just to run:
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
Format a flash drive with a label:
As I mentioned before, I already had a worthless flash drive handy. Since this flash drive is essentially the key to my computer, I do not want to risk plugging it into another computer and getting the key stolen or corrupted. It will have to become solely used for the purpose of unlocking my system. Creating the flash drive is the same as any other drive with ext4:
mkfs.ext4 -L SECURIKEY /dev/sdb1
Add the keyfile to the crypted filesystem and flash drive.
sudo mount /dev/sdb1 /mnt sudo cp /root/keyfile /mnt/keyfile sudo cryptsetup -v luksAddKey /dev/mapper/fedora-00 /mnt/keyfile
dracut needs to load two modules in order for us to pass in the keyfile. Additionally systemd has an issue with keyfiles at the time of writing this so we will have to omit it. Both of these settings can be permanently set by
sudo vim /etc/dracut.conf.d/00-keyfile.conf and inserting the below contents.
# dracut modules to omit omit_dracutmodules+="systemd" # dracut modules to add to the default add_dracutmodules+="crypt lvm"
Configuring grub: Open up
/etc/default/grub and append
rd.luks.key=/keyfile:LABEL=SECURIKEY inside the quotes of
GRUB_CMDLINE_LINUX. Mine looks like the following:
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/00 rd.luks.uuid=luks-fad7c380-bc0c-4680-917e-1e80eb244476 rhgb quiet rd.luks.key=/keyfile:LABEL=SECURIKEY"
grub can then be regenerated by running
sudo grub2-mkconfig -o /boot/grub2/grub.cfg. After
grub has been re-generated, we can then regenerate our initrd by issuing
dracut --force. Everything is then all set and ready to go! If the keyfile is not present, you will be prompted to enter your encryption password upon next boot to unlock the root filesystem. I would advise leaving the password as you would be unable to access your files if the flash drive was ever lost or picked up by one of your kids and thrown in the toilet.