Booting encrypted install using LUKS keyfile on a removable stick

[strasharo]

Can we get support to unlock encrypted installs via a LUKS keyfile on a removable usb flash drive? Since lots of people are running Berryboot on a headless setup without a display and the remote password entry using Dropbear was ruled down as insecure on the forum, I guess a key file on a removable drive will be a a good alternative.

[maxnet]

I assume that the Pi is not at a remote location, but on your desk, and you unplug the USB stick when leaving?

Then what is the advantage of this over just plugging in a keyboard to enter the password, and unplugging it when done? Note that attaching a display is not strictly necessarily, and keyboards are quite portable.

[strasharo]

Well, I tried entering my password blindly with only a keyboard quite a few times, but most of the times I don't succeed. Without display I have no indication at all if I'm even hitting the password entry prompt.

The device is not exactly on my desk, but in case of power cut I can walk to it and plug a device in order to boot it. I guess a flash drive is a little bit more portable to carry around and booting using a key file will be much faster than trying to catch the password entry prompt blindly. :)

[andrewg78]

HI, can we get less secure but very convenient way to store LUKS keyfile between MBR and 1st partition of SD card?

[maxnet]

can we get less secure but very convenient way to store LUKS keyfile between MBR and 1st partition of SD card?

What are you trying to achieve exactly? Putting a lock on your door, but always leaving the key in, sounds not secure at all rather than just "less secure"...

Or are you looking for a way to quickly destroy access to data (by zeroing out the keyfile) on some trigger?

[andrewg78]

I'm building headless device. I just want to prevent weekend hackers from spying my files easily. I know this is not secure but better then leaving the key on a hidden partition, USB key or leaving partition unencrypted. I understand I did not convince you to add such a feature.

[maxnet]

No, this is not a common enough scenario to add to the main code.

[andrewg78]

OK. Thank you for your time.

[tristan-k]

I'm facing a similar situation. I want to colocate my Raspberry Pi in a professional data center. Since the motivation for doing that is primarly build arround privacy and security reasons (see https://github.com/nylira/prism-break/issues/1052 for further information), I need a way to unlock the encrypted container automatically without exposing the password. I dont have physically access to the pi anymore as soon as it is send to the data center.

[strasharo]

Try this one: http://blog.epijunkie.com/2014/01/raspberry-pi-arch-linux-fde-freeradius3-a-low-power-radius-server-for-wpa2-enterprise/ It works perfectly for me. :)