LUKS/dm-crypt auto-mount with USB key

[watercooled]

Right, so I've been playing with LUKS and I'm working towards setting up a system similar to Bitlocker where you can use a USB key to store a keyfile and have the system mount an encrypted data partition automatically at boot (for a headless system). Easier said than done...

I have no problem setting up an encrypted volume and mounting it but I'm having trouble thinking of an elegant way to automate the process at boot time. I've found a few guides on the net for mounting root partitions but, well, they're not perfect to start with and they seem over-complicated for a data partition i.e. mod-probing drivers and modifying initramfs - for a pure storage partition it should be as simple as checking for, temporarily mounting, and pulling the keyfile from the flash drive and maybe prompting for a password if that fails.

Does anyone have any advice or know of a decent guide to follow?

Thanks.

[peterb]

Add an entry in fstab?

If you want it to conditionally prompt for a password though you will probably need to do a bit of script writing. Otherwise follow the guides. Rebuilding intramfs isn't that difficult although a bit daunting first time round (especially at reboot time with it the first time - will it work? )

[watercooled]

Yeah the bit that's worrying me is that it needs to mount the mapped drive after the system has booted and the drive has been mapped (unlocked) but before anything dependant on the data drive is started (services for instance).

The guides I've tried so far seem to be missing quite important steps - writing a guide but assuming people reading it already know what they're doing is a bit stupid IMO. I've found a few more though so I'll have another go when I get some time, the script seems to be the bit I'm stuck with though - I can get a script to ask for a password but getting one to modprobe the correct drivers, intelligently check for a specific drive, mount it, check for specific data then feed it to the program, and then unmount the drive, is another story.

I'm trying this out on a spare 'tinkering' system before I put it in to production. I just kind of assumed there would be a more turnkey way of doing it like Bitlocker on Windows - I mean I know it's not the best security practice but entering a password every boot isn't a viable option for a headless server; plugging a USB drive in for a while when I reboot isn't a problem.