USB Key Start

Back in the good ‘ole days of floppy drives, I used to install grub onto one. I would use it like a key to my computer and take it out if I did not want anyone using my computer when I was not around. Today, we use LUKS encryption to keep unwanted users out. Once grub became too big to fit on floppy drives (and floppy drives became extinct) I still wanted the physical functionality of removing a part that prevents others from using my desktop/laptop. Sure, I could remove the hard drive every time I was done with the computer, but this would become tedious and I want something quick and easy.

I recently stumbled across mkinitramfs-ll which allowed passing in a LUKS keyfile in initrd. I attempted to use this for Fedora, but did not get very far. I then discovered dracut (Fedora’s initrd maker) already includes support for passing in a LUKS keyfile as an argument. At this point, I raced to get one of my legacy 256mb flash drives and made a fully functional “key” to operate my laptop.

The main points to get it working were simple:

  • Have a crypted root file system
  • Generate a keyfile to use
  • Format a flash drive with a label
  • Add the keyfile to the crypted filesystem and flash drive
  • Configure and run dracut
  • Configure and generate grub configs

Generate a keyfile to use:
Keyfiles can be anything. Some use a gpg key, but I found it as easy and beneficial just to run: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Format a flash drive with a label:
As I mentioned before, I already had a worthless flash drive handy. Since this flash drive is essentially the key to my computer, I do not want to risk plugging it into another computer and getting the key stolen or corrupted. It will have to become solely used for the purpose of unlocking my system. Creating the flash drive is the same as any other drive with ext4:

mkfs.ext4 -L SECURIKEY /dev/sdb1

Add the keyfile to the crypted filesystem and flash drive.

sudo mount /dev/sdb1 /mnt
sudo cp /root/keyfile /mnt/keyfile
sudo cryptsetup -v luksAddKey /dev/mapper/fedora-00 /mnt/keyfile

Configure dracut: dracut needs to load two modules in order for us to pass in the keyfile. Additionally systemd has an issue with keyfiles at the time of writing this so we will have to omit it. Both of these settings can be permanently set by sudo vim /etc/dracut.conf.d/00-keyfile.conf and inserting the below contents.

# dracut modules to omit
omit_dracutmodules+="systemd"

# dracut modules to add to the default
add_dracutmodules+="crypt lvm"

Configuring grub: Open up /etc/default/grub and append rd.luks.key=/keyfile:LABEL=SECURIKEY inside the quotes of GRUB_CMDLINE_LINUX. Mine looks like the following:

GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/00 rd.luks.uuid=luks-fad7c380-bc0c-4680-917e-1e80eb244476 rhgb quiet rd.luks.key=/keyfile:LABEL=SECURIKEY"

grub can then be regenerated by running sudo grub2-mkconfig -o /boot/grub2/grub.cfg. After grub has been re-generated, we can then regenerate our initrd by issuing dracut --force. Everything is then all set and ready to go! If the keyfile is not present, you will be prompted to enter your encryption password upon next boot to unlock the root filesystem. I would advise leaving the password as you would be unable to access your files if the flash drive was ever lost or picked up by one of your kids and thrown in the toilet.

One comment

  1. On Fedora 26:

    “`
    # dracut -f
    dracut: systemd-initrd needs systemd in the initramfs
    dracut: systemd-networkd needs systemd in the initramfs
    dracut: dracut-systemd needs systemd-initrd in the initramfs
    “`

Comments are closed.