Back in the good ‘ole days of floppy drives, I used to install
onto one. I would use it like a key to my computer and take it out if I did not want anyone using my computer when I was not around. Today, we use LUKS encryption to keep unwanted users out. Once
became too big to fit on floppy drives (and floppy drives became extinct) I still wanted the physical functionality of removing a part that prevents others from using my desktop/laptop. Sure, I could remove the hard drive every time I was done with the computer, but this would become tedious and I want something quick and easy.
I recently stumbled across mkinitramfs-ll
which allowed passing in a LUKS keyfile in initrd. I attempted to use this for Fedora, but did not get very far. I then discovered
(Fedora’s initrd maker) already includes support for passing in a LUKS keyfile as an argument. At this point, I raced to get one of my legacy 256mb flash drives and made a fully functional “key” to operate my laptop.
The main points to get it working were simple:
Generate a keyfile to use:
- Have a crypted root file system
- Generate a keyfile to use
- Format a flash drive with a label
- Add the keyfile to the crypted filesystem and flash drive
- Configure and run
- Configure and generate
Keyfiles can be anything. Some use a gpg key, but I found it as easy and beneficial just to run:
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
Format a flash drive with a label:
As I mentioned before, I already had a worthless flash drive handy. Since this flash drive is essentially the key to my computer, I do not want to risk plugging it into another computer and getting the key stolen or corrupted. It will have to become solely used for the purpose of unlocking my system. Creating the flash drive is the same as any other drive with ext4:
Add the keyfile to the crypted filesystem and flash drive.
mkfs.ext4 -L SECURIKEY /dev/sdb1
sudo mount /dev/sdb1 /mnt
sudo cp /root/keyfile /mnt/keyfile
sudo cryptsetup -v luksAddKey /dev/mapper/fedora-00 /mnt/keyfile
needs to load two modules in order for us to pass in the keyfile. Additionally systemd has an issue with keyfiles at the time of writing this so we will have to omit it. Both of these settings can be permanently set by
sudo vim /etc/dracut.conf.d/00-keyfile.conf
and inserting the below contents.
# dracut modules to omit
# dracut modules to add to the default
inside the quotes of
. Mine looks like the following:
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/00 rd.luks.uuid=luks-fad7c380-bc0c-4680-917e-1e80eb244476 rhgb quiet rd.luks.key=/keyfile:LABEL=SECURIKEY"
can then be regenerated by running
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
has been re-generated, we can then regenerate our initrd by issuing
. Everything is then all set and ready to go! If the keyfile is not present, you will be prompted to enter your encryption password upon next boot to unlock the root filesystem. I would advise leaving the password as you would be unable to access your files if the flash drive was ever lost or picked up by one of your kids and thrown in the toilet.