Automatically unlock your LUKS-encrypted disk

Want to do away with the disk encryption passphrase altogether? This guide will show you how to disable it for your instance.

This is useful if:

  • You want 100% unattended reboots.
  • You're taking the Dradis VM in your laptop and don't want to type the password every time.

Warning: following this guide will render disk encryption useless. You will be storing your encryption key, plain-text, in the unencrypted part of the disk!

1. Back up your initramfs disk

Run the following commands in the Dradis console as root:

# cp /boot/initrd.img-3.2.0-4-amd64 /boot/initrd.img-3.2.0-4-amd64.safe

Optionally add a new entry in the boot menu to fall back to the safe initramfs disk:

# vi /boot/grub/grub.cfg

Edit /boot/grub/grub.cfg to match the following:

### BEGIN /etc/grub.d/10_linux ###
#...

menuentry 'Debian GNU/Linux, with Linux 3.2.0-4-amd64 (crypto safe)' --class debian --class gnu-linux --class gnu --class os {
        load_video
        insmod gzio
        insmod part_msdos
        insmod ext2
        set root='(hd0,msdos1)'
        search --no-floppy --fs-uuid --set=root bc15be43-c8fe-43b2-bae8-5ae9e8e2d19a
        echo    'Loading Linux 3.2.0-4-amd64 ...'
        linux   /vmlinuz-3.2.0-4-amd64 root=/dev/mapper/dradispro-root ro  quiet
        echo    'Loading initial ramdisk ...'
        initrd  /initrd.img-3.2.0-4-amd64.safe
}
# ...
### END /etc/grub.d/10_linux ###

2. Create the key file in the unencrypted /boot partition

# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4

3. Set permissions

# chmod 0400 /boot/keyfile

4. Add the new file as unlock key to the encrypted volume

# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile
Enter any passphrase:

Enter your old/existing passphrase here. Expected output:

Key slot 0 unlocked.
Command successful.

5. Find the UUID of /dev/sda1

# ls -l /dev/disk/by-uuid/

6. Edit /etc/crypttab

Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)

# vi /etc/crypttab

This should be the contents:

sda5_crypt UUID=ae6501ed-38da-43ad-b6fd-199e529120e8 none luks

The changes we'll be making:

  • Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1

  • Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev

The final result:

sda5_crypt UUID=ae6501ed-38da-43ad-b6fd-199e529120e8 /dev/disk/by-uuid/bc15be43-c8fe-43b2-bae8-5ae9e8e2d19a:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

In this case the UUID for our /dev/sda1 UUID was bc15be43....

If you run into any issues with file permissions, run:

# chmod 0777 /etc/crypttab

After editing, run the following to reset the permissions:

# chmod 0440 /etc/crypttab

7. Generate a new initramfs disk

# mkinitramfs -o /boot/initrd.img-3.2.0-4-amd64 \
    3.2.0-4-amd64

8. Cross your fingers and reboot

# reboot

Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!