home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit 1c8c56baa2c101c40cca9cc1d62614355fd4c1c0
parent e971281bb5740904e55c5e3016b490aa8026338b
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Thu, 23 Jun 2022 16:28:39 +0200

www/vincent.demeester.fr: add an entry on luks …

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Awww/vincent.demeester.fr/content/linux/luks-key-sdcard.org | 112+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+), 0 deletions(-)

diff --git a/www/vincent.demeester.fr/content/linux/luks-key-sdcard.org b/www/vincent.demeester.fr/content/linux/luks-key-sdcard.org @@ -0,0 +1,112 @@ +#+title: Automatically unlock an luks encrypted partiiton with an SDCard +#+subtitle: … or a USB card. +#+date: <2022-06-23 Thu> +#+filetages: #home nixos cryptsetup +#+SETUPFILE: ../../templates/2022.org + +I am booting my work laptop (NixOS on a Thinkpad) from a LUKS-encrypted volume. I also do +have another "laptop" (used as a build/server) that is LUKS-encrypted. So far, I've been +using a passphrase I type on boot. It's more than fine for my laptop, but it means it's a +bit trickier for my other machine. I need to remove from its slot below my desk, type it +and re-put it in the slot. This mean it's a bit harder to do upgrade and reboot without +any input from me. + +For convenience, I want an SD card's LUKS volume to unlock and mount when the machine +boots, rather than me needing to unlock and mount it each time. + +There is a bunch of articles about this, like [[https://possiblelossofprecision.net/?p=300][this one]]. Or slightly related [[https://kyau.net/wiki/ArchLinux:LUKS][these]] [[https://neilzone.co.uk/2021/07/auto-unlocking-a-luks-volume-on-an-sd-card-on-boot-with-debian-11-bullseye][ones]]. I +am using NixOS however, and it is actually making things relatively straightforward. The +closer article to what I was looking for is [[https://medium.com/@geis/using-a-raw-usb-device-to-unlock-a-luks-volume-on-nixos-193406ee7474][this one]] as well as the [[https://nixos.wiki/wiki/Full_Disk_Encryption][NixOS wiki entry]] on +full disk encryption. + +The idea is relatively simple : we are going to use a key file (hidden or not in a +partition) to unlock a luks encrypted — with a fallback on passphrase (in case the medium +is not there). There is 3 main steps : +- creating the key file and storing it somewhere +- add the key to a slot in the luks encrypted partition +- configuring NixOS to use it + +* Creating a keyfile and storing it + +Creating a key file is very simple. If we are to use a file, we can just do the following: + +#+begin_src bash +$ dd if=/dev/urandom of=hdd.key bs=4096 count=1 +#+end_src + +I have two key to generate, one for =aomi= and one for =naruhodo= + +#+begin_src bash +$ dd if=/dev/random of=naruhodo.key.bin bs=1 count=4096 +4096+0 records in +4096+0 records out +4096 bytes (4.1 kB, 4.0 KiB) copied, 0.00947718 s, 432 kB/s + +$ dd if=/dev/random of=aomi.key.bin bs=1 count=4096 +4096+0 records in +4096+0 records out +4096 bytes (4.1 kB, 4.0 KiB) copied, 0.00985101 s, 416 kB/s +#+end_src + +What we are going to do here is, to hide the key inside a sdcard or a usb stick. The idea +is to use the first or the last few blocks to hide the key. + +#+begin_src bash +# This writes the aomi key to the "head" of sda (a sdcard) +$ sudo dd if=sync/aomi.key.bin of=/dev/sda bs=1 count=4096 +# This writes the naruhodo key to the "tail" of sdb (a usb card) +# The offset has to be computed from the usb key size +$ sudo dd if=sync/naruhodo.key.bin of=/dev/sdb bs=1 count=4096 seek=30992883712 +#+end_src + +* Add the key to a slot + +This is probably the easiest step of all, this is just about running the following. + +#+begin_src bash +$ cryptsetup luksAddKey $LUKS_DEVICE $KEY +#+end_src + +The only /trick/ to it is : you have to do this "offline", a.k.a. when the partition in +locked (and thus not mounted, …). Either you do this when you are installing the operating +system (and it's straightforward), or you need to boot your laptop/desktop with a livecd +(that also then has access to the key). + +* NixOS configuration + +This is where NixOS helps greatly, we have just a few things to write, and NixOS will make +sure all is correctly setup (the initramfs, …). + +#+begin_src nix +# For aomi, without offset +boot.initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/{UUID}"; + preLVM = true; + allowDiscards = true; + keyFile = "/dev/disk/by-id/{DISKID}"; + keyFileSize = 4096; + fallbackToPassword = true; + }; +}; +# For narudoho, with offset +boot.initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/{UUID}"; + preLVM = true; + allowDiscards = true; + keyFile = "/dev/disk/by-id/{DISKID}"; + keyFileOffset = 30992883712; + keyFileSize = 4096; + fallbackToPassword = true; + }; +}; +#+end_src + +Now, we are a =nixos-rebuild= away from being able to boot a NixOS on a encrypted file +system, without having to type the password *if we have the correct medium* inserted in +the machine. + +/Of course, this means that the "unlock" medium becomes precious and important *not to* +loose. If you go on vacation for example, you should definitely remove any of those medium +and hide them (or bring them with you)./