How to load LUKS passphrase from USB, falling back to keyboard?

Question

I want to set up a headless Linux (Debian Wheezy) PC with whole disk encryption, with the ability to unlock the disk either with a USB drive, or by entering a passphrase by keyb

Answer 1

Here is a solution similar to the one by Andrew, but

• using CRYPTTAB_TRIED described in the Debian crypttab man page to distinguish tries, and

• calling the existing standard keyscript /lib/cryptsetup/scripts/passdev on the first try.

0. Create your keyfile or keypartition as usual for the passdev script.

1. Create the following file /usr/local/bin/key-from-usb and make it executable.

   #!/bin/sh
   set -e
   if [ $CRYPTTAB_TRIED -ge 1 ]; then
     /lib/cryptsetup/askpass "Second try to unlock $CRYPTTAB_SOURCE ($CRYPTTAB_NAME). Please enter passphrase: "
   else
     /lib/cryptsetup/scripts/passdev $CRYPTTAB_KEY
   fi
   

2. In /etc/crypttab use the parameter keyscript=/usr/local/bin/key-from-usb.

3. Create /etc/initramfs-tools/hooks/key-from-usb with this content:

   #!/bin/sh
   
   PREREQ=""
   
   prereqs() {
           echo "$PREREQ"
   }
   
   case "$1" in
            prereqs)
                    prereqs
                    exit 0
            ;;
   esac
   
   . "${CONFDIR}/initramfs.conf"
   . /usr/share/initramfs-tools/hook-functions
   
   manual_add_modules vfat
   
   copy_exec /usr/lib/cryptsetup/scripts/passdev /usr/lib/cryptsetup/scripts/passdev
   
   copy_exec /usr/local/bin/key-from-usb /usr/local/bin/key-from-usb
   

   The first copy_exec line here is needed because passdev is not copied if it is not mentioned in crypttab. Similarly, manual_add_modules vfat will ensure that a vfat usb disk can still be used.

Hint: Use lsinitramfs /boot/initrd.img-... and diff/compare the results to check that the script and all its dependencies are included.