LUKS auto unlock via keyfile from a network device

  • Hi,

    for theft protection I want to lock my data drive with LUKS.
    As my server has a duty cycle of only 1/24 it is only started, when I need access to it.
    Also other persons in my familiy will start the server.
    So I need an auto-unlock function but I don't want to store the keyfile on the server itself.
    This will be some kind of "two-factor-auth".
    The keyfile can reside on my OpenWRT Router where it can be accessed by wget, cifs, ftp or nfs.

    I searched a couple of hours but did'nt find any solution for this common problem. ?(

    Do you have any suggestions?

  • Hi,

    three likes, but unfortunately that does'nt solve the problem.

    Where could I place an "unlock-script"?

    • The network functionalities should be "up"
    • The data-drive should be mounted (this could perhaps also be done manually)
    • The services depending on that drive (smb, MySQL etc.) should not yet be started

    What happens, if the drive is locked when the services are started?
    Will they recover, when the drive is unlocked later?

    Any help appreciated

  • Hi Enra...
    This is the solution I adopted for solve the problem you ask in your first post.
    I'm not shure this can be a solution for you, but it can be a good starting point.

    Please note that there are several security problems and who use it should understand the limits of the solution.

    If someone would improve the script or the overall solution... he's welcome!


  • Hi Fax,

    in the meantime I came to a similar solution.
    But I must admit that your script is much more sophisticated than mine. :thumbup:

    Two notes:

    As my Lede router redirects to https, I use this wget-command to pull and store the keyfile as /run/keyfile:
    wget --no-check-certificate -P /run -t 10

    My init-script uses
    # Required-Start: $network

    For the services depending on the data-disc like MySQL I had an
    # Required-Start: $luks-unlock

    in the /etc/init.d/mysql script.

    But that was not sufficient. MySQL did not come up cause the disc was not yet ready.
    I tried several start-points but I did not find the right runorder.
    So I "reload" these services in /etc/rc.local with 10s delay:

    sleep 10
    /etc/init.d/mysql start

    Thanks for your work.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!