crypttab + passwords?

Asked by tmerriam

How do I get crypttab to automatically unlock a volume on boot? I was doing this in Slackware no problem, but the crypttab in Ubuntu isn't behaving the same way.....

Basically, I have a line in /etc/crypttab to decrypt the luks volume and a line in /etc/fstab to mount the volume.

in crypttab:
crypto UUID=1234...... password luks

in fstab:
UUID=98765..... /mnt/crypto ext3 relatime 0 2 # same options as the volumes Ubunut made on install

I can decrypt and mount the partition fine, so I know my password is good. I used 'sudo blkid' to determine the uuid and then copy/pasted them into the files, so I'm confident there isn't a typo like that. Also, I realize the uuid is not supposed to be the same in both files; the uuid in crypttab is the uuid of partition with the luks volume on it (sdc1), and the uuid in fstab belongs to the ext3 filesystem inside (/dev/mapper/crypto). I also tried putting my password in a keyfile and then putting the path to it in place of the password in crypttab, but that didn't work either.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
tmerriam
Solved:
Last query:
Last reply:
Revision history for this message
A. Denton (aquina) said :
#1

I think the point is not to "automatically unlock a volume on boot", but to automatically mount a volume on boot?

With "pam_mount" you can have filesystems mounted and unmounted automatically at login and logout times. If you use a single password for login and to unlock an encrypted filesystem volume, you can set up the system so you only have to type your password once and have your personal documents protected by encryption when you are not logged in.

But it's stupid to write it down somewhere. ;-)

[L] https://help.ubuntu.com/community/AutomaticallyMountPartitions

Revision history for this message
tmerriam (tmerriam87) said :
#2

crypttab's purpose is to automatically unlock a volume, fstab mounts it. The problem is I can't configure crypttab. I can't use a single password for everything because not everything is in the same LVM group. This second volume im trying to mount is a separate partition. Also, the XTS cipher is theoretically vulnerable when encrypting more than 1TB, so I need to setup a different LUKS with a different key. I suppose I could use the same password, but that setup is actually more complicated than this. Frankly, I don't want to deal with that kind of setup if the simple setup wont work. I realize there is a risk in storing the password plaintext, but I consider that is secure enough, the volume containing the crypttab file is itself in a LUKS volume. Only root can read it.

Revision history for this message
A. Denton (aquina) said :
#3

I think I understand your problem, but I abandonned LVM long time ago with my RHEL and Fedora because of it's complexity and it's error-proneness. I think you'd better ask on IRC in #ubuntu or #xubuntu or on the mailing list regarding that issue.

Sorry for not being able to help you! :-(

Revision history for this message
tmerriam (tmerriam87) said :
#4

Thanks anyway, but I figured this out. I added a random keyfile to the luks volume and gave the path to that in place of the password in crypttab.