Home/ Questions/Q 6888169
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:58:36+00:00

I’m going to encrypt my harddrive using LUKS with Arch Linux; normally you use

  • 0

I’m going to encrypt my harddrive using LUKS with Arch Linux; normally you use either a keyfile or a passphrase to unlock encrypted volumes, however I want to require both. 

# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
    if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
        dopassphrase=0
    else
        echo "Invalid keyfile. Reverting to passphrase."
    fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
    echo ""
    echo "A password is required to access the ${cryptname} volume:"

    #loop until we get a real password
    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
        sleep 2;
        done
    fi
    if [ -e "/dev/mapper/${cryptname}" ]; then
        if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
            export root="/dev/mapper/root"
        fi
    else
        err "Password succeeded, but ${cryptname} creation failed, aborting..."
        exit 1
    fi

The code above handles the decryption of a volume, as you can see it checks if the keyfile is valid and reverts to passphrase if it isn’t. My idea to get around this is to take a keyfile and a passphrase, add the values of those together and create a new keyfile which opens the volume. The problem is that I don’t know where to save the file, I was thinking of saving it in RAM but I don’t know if that’s possible with bash. 

if  poll_device "${cryptdev}" ${rootdelay}; then
    if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
        [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
        if [ -f ${ckeyfile} ]; then
            bool=true
            while $bool; then
                echo "Enter passphrase: "
                read passphrase
                tmpkey="tmpkeyfile"
                cp ${ckeyfile} ${tmpkey} #Create a temporary keyfile
                echo passphrase >> ${tmpkey} #Add the passphrase to the keyfile
                if eval /sbin/cryptsetup --key-file ${tmpkey} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
                    bool=false

The code above is what I had in mind, I haven’t tried the code as I haven’t had the opportunity to, but I don’t think it’s safe enough to just save the temporary keyfile on the harddrive.
I don’t know bash very well, so there might be some errors here and there. But I just wanted to show my idea of how to solve the problem, maybe anyone can help me actually get it working.
Is it possible to store the keyfile in RAM, or are there any other alternatives?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think what you might be looking for is shm / shmfs, or otherwise known as tmpfs.

    Here are a couple of links that talk about using shm / tmpfs and how to mount it and secure it

    http://www.cyberciti.biz/tips/what-is-devshm-and-its-practical-usage.html

    https://wiki.archlinux.org/index.php//dev/shm

    Seems pretty straight forwards to create yourself a small partition and use it. If your script is going to create the mount on the fly it will need to run as root.

    • 0