# systemd-cryptsetup with keyfile on removable drive

## Alexey Vladykin

I've recently migrated from OpenRC to systemd and I'm missing one feature: ability to auto-mount encrypted LUKS partition using a removable drive with keyfile.

With OpenRC I simply had in /etc/conf.d/dmcrypt:

```
target=home

source=/dev/sda4

remdev=/dev/sdb1

key=/keyfile.dat

```

During boot OpenRC mounted /dev/sdb1 to some temporary mount point and used keyfile.dat to open the encrypted partition.

Unfortunately with systemd I can't find how to achieve the same result. Something like this is described at http://wejn.org/how-to-make-passwordless-cryptsetup.html, but it relies upon a "keyscript" option which apparently does not exist in my systemd version 208-r2.

Anybody managed to make systemd-cryptsetup mount LUKS partitions using keyfile from removable drive?

Will appreciate any ideas.

----------

## nlsa8z6zoz7lyih3ap

To set up  /dev/mapper/sda8  without a password I add the following line to /etc/crypttab

```
sda8  /dev/sda8   /PathToKey/sda8crypt     luks
```

where the key is sda8crypt.

Here, /dev/mapper/sda8 will be mounted to /home.

To mount the encrypted root, I use an initrdramfs, 'tho of course this takes a password.

I had some trouble setting this up, as detailed in the forums:

 *Quote:*   

> https://forums.gentoo.org/viewtopic-t-972332-highlight-.html

 

----------

## Alexey Vladykin

Thank you for response, I've studied that thread before asking my question, but my case is a little bit different.

I have my keyfile on a removable USB thumb which has no static mount point configured in fstab, so there is nothing I can write in place of /PathToKey/. Only the device node of USB drive is known in advance (/dev/sdb1). OpenRC handled this pretty well, now I'm looking for a similar feature in systemd.

----------

## nlsa8z6zoz7lyih3ap

Assuming that you are not mounting root, would the persistent names feature of udev allow you to give it a name that you can put int /etc/fstab?

Even without that, my flash drive always comes up with the same name, so I could put in in /etc/fstab.

This is only a thought, I realize that it may not be what you are looking for.

----------

## Alexey Vladykin

If I configure a mount point for my removable drive in fstab like this

```
/dev/sdb1               /mnt/flash      vfat            noatime,nofail  0 0
```

and in crypttab specify path to key using this mount point

```
home       /dev/sda4       /mnt/flash/keyfile     luks
```

then indeed systemd reads my keyfile from USB drive and does not ask for password.

That's good  :Very Happy:   However there are two drawbacks compared to the OpenRC functionality: USB drive has to be manually unmounted after booting in order to remove it

 mount point for USB drive has to be configured in fstabIs it possible to address these drawbacks?

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> That's good :D However there are two drawbacks compared to the OpenRC functionality:
> 
>     USB drive has to be manually unmounted after booting in order to remove it
> 
>     mount point for USB drive has to be configured in fstab
> ...

 

I don't know how to address this without using /etc/fstab unless you write an intramfs that mounts the flash drive, does the cryptsetup, then unmounts the flash drive

before pivoting to the to systemd. This is quite easy if you are used to writing your own initramfs, otherwise it probably isn't worth the learning curve for such a minor task.

Since I use kde, I would unmount it by creating the following file  " ~//home/owner/.kde4/Autostart/UnMountFlash.sh"

```
sudo umount /mnt/flash/keyfile 
```

Don't forget to make this executable.  Of course you will also need to have sudo installed with permissions to run    ~//home/owner/.kde4/Autostart/UnMountFlash.sh

I suspect also that you could write your owner systemd element to do this, and that would be the most elegant solution. I don't know how to do this.

I did write my own for a few other services that were lacking, but I didn't really understand what I was doing. I just google around, copied shamelessly and modified until they worked.

 *Quote:*   

> However there are two drawbacks compared to the OpenRC functionality:

 

openrc worked better for me. I shall be moving back to it after I have finished with the fun of experimenting with systemd. I don't need systemd, but I did wish to use it for a while

so that I would at least know something about it.

Would moving back to openrc work for you?

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> However there are two drawbacks compared to the OpenRC functionality:
> 
>     USB drive has to be manually unmounted after booting in order to remove it 

 

Here is a question: If you change your /etc/fstab line to

```
/dev/sdb1               /mnt/flash      vfat            ro,nofail  0 0
```

can you just unplug it without unmounting  it?

It would seem to me that  you should be able to, but I am no expert and I do not actually know the answer.

----------

## Alexey Vladykin

I've recently updated to GNOME 3.8 which wants systemd running, so I'll stick with systemd and look for solutions/workarounds.

Currently I see that writing a custom systemd script is the most clean and elegant approach.

Thank you!

----------

## nlsa8z6zoz7lyih3ap

Would you be kind enough to share the script when you have it working?

----------

## Alexey Vladykin

Sure, I will share the solution once I have it.

By the way, it seems that systemd has a standard mechanism for retrieving encryption passwords from non-typical places: http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/

Writing such password agent would be an option then.

----------

## boris64

Hey folks, any working solution yet? I tried your way, but

when i plug out my usb stick, my home drive is umounted instantly.

----------

## Alexey Vladykin

I've found that unmounting flash drive before removing it prevents my home from disappearing. No better solution yet. Writing a password agent for systemd is still on my todo list.

----------

## Alexey Vladykin

I've finally written a password agent that reads encryption password from removable drive. It works perfectly for me. Here it is: https://github.com/vladykin/systemd-askpass-remdev.

----------

