Auto Decrypt Encrypted SD Card on Boot for L5

Hardware Librem 5
1

The L5 has only about 30G of memory. I want to extend it with an SD card. However, I want the SD card to be encrypted (luks container). To this end, inserted an SD card and encrypted it

cryptsetup luksFormat /dev/sda

Then, I copied the /etc/crypttab entry for crypt_root to another line, changed the name to crypt_sd, updated the UUID, and added nofail to the options.

/etc/crypttab contents:
crypt_root UUID=[root uuid here] none luks,discard,keyscript=/usr/share/initramfs-tools/scripts/osk-sdl-keyscript,initramfs
crypt_sd UUID=[sd uuid here] none nofail,luks,discard,keyscript=/usr/share/initramfs-tools/scripts/osk-sdl-keyscript,initramfs

At boot, I get a screen to put in my passphrase for the root partition. I put this in, and then I am presented with ANOTHER password screen, but only for about 0.2 seconds. This screen goes away and I get some tty-esque text output which is asking for a passphrase for about 1 second before it boots normally.

It seems like it decrypts root normally, but doesn’t give me enough time to type the passphrase for the sd card. Then, it boots normally ignoring the failed decrypt.

Has anyone gotten encrypted sd cards to open at boot? If so, How did you do it? Is there something wrong with my crypttab entry above?

Thanks,
Zacchaeus

4 Likes
2

These are some old notes from when I wanted the same. Dated 2017. I Think they still apply:
Reference:


My reduced version:
–Create key
dd if=/dev/urandom of=/etc/luks-keys/disk_secret_key bs=512 count=8
–Add key to luks device (you will need to know a passpharase of the device)
sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/luks-keys/disk_secret_key
–Admire your work (optional)
sudo cryptsetup luksDump /dev/md0?? /dev/sda1??
–Test (optional)
sudo cryptsetup -v luksOpen /dev/sdb1 sdb1_crypt --key-file=/etc/luks-keys/disk_secret_key
sudo cryptsetup -v luksClose sdb1_crypt
–Add to /etc/crypttab
sdb1_crypt UUID=2a2375bf-2262-413c-a6a8-fbeb14659c85 /etc/luks-keys/disk_secret_key luks
–add to fstab
/dev/mapper/sdb1_crypt /media/gerhard/Daten ext4 defaults 0 2
6 Likes
3

Hmm. I don’t like the idea of having a key hanging around on disk, but maybe it is fine since my root is encrypted? I would rather enter a passphrase at boot like with the root drive, but I suppose this will do. Thanks!

2 Likes
4

Help, please :pray:
I did it into terminal but I receive error message: file or directory not existent!

How can I solve it?
Thank you

PS: it’s crazy, for me, to type this message using my iPhone because when I tried to write it using my L5 I wasn’t able to do it :sweat_smile::worried:

5

You need to create the directory to write the key to. You could put your key anywhere, but in the example, it is being written to /etc/luks-keys/, so you should make that:

mkdir /ect/luks-keys

Make sure only root can look inside!

chown root /etc/luks-keys
chmod 700 /etc/luks-keys
3 Likes
6

Thank you!! :pray:
Please, I’m trying this step:
“ –Add to /etc/crypttab”
But when I digit: sudo gedit /etc/crypttab
Terminal replies:
Gtk-WARNING … cannot open display: :0
How can I add my “ sdb1_crypt UUID=2a2375bf-2262-413c-a6a8-fbeb14659c85 /etc/luks-keys/disk_secret_key luks” to crypttab?
I don’t know vim command :sweat_smile:
Could you, please, type here the command?
Thank you

7

Use nano instead of gedit ?

That will still leave you with: I don’t know nano command

but it is a lot more straightforward for the new user than vi.

I think you will need to replace the UUID with your actual UUID.

2 Likes