Boot with encrypted disk but only with USB Stick

Boot with encrypted disk but only with USB Stick

[Dirk Nichterwitz]

Hello,

I have configured my system to boot a luks encrypted harddisk. I addes a
keyfile on a usb stick and this works to boot automaticaly when plugged in .
But ist her a way to configure the system to only boot with stick ? because
if i unplug the stick the system ask für passphrase.

But i want a system only works with stick and no way to do a other boot.

Thx

greets Dirk

Re: Boot with encrypted disk but only with USB Stick

[Christoph Anton Mitterer]

Hey.


On Tue, 2025-03-04 at 11:19 +0100, Dirk Nichterwitz wrote:
> I addes a
> keyfile on a usb stick and this works to boot automaticaly when
> plugged in .
> But ist her a way to configure the system to only boot with stick ?
> because
> if i unplug the stick the system ask für passphrase.
> 
> But i want a system only works with stick and no way to do a other
> boot.

Not sure what exactly you want:


You can simply install your bootloader, kernel and initramfs on the USB
stick (along with any keys needed for decryption).

Most BIOSes/UEFIs support booting from USB.

That way, an attacker cannot mess with these parts, which would
otherwise be completely open.
Of course a powerful enough attacker could still replace your firmware.
And of course this only makes sense if you then keep your USB stick
with you "all the time".


Or do you want to continue to boot from your regular storage drive, but
simply get no passphrase prompt in case the stick is not present?


Cheers
Chris.

Re: Boot with encrypted disk but only with USB Stick

[Arno Wagner]

On Tue, Mar 04, 2025 at 14:07:47 CET, Christoph Anton Mitterer wrote:
> On Tue, 2025-03-04 at 11:19 +0100, Dirk Nichterwitz wrote:
> > I addes a
> > keyfile on a usb stick and this works to boot automaticaly when
> > plugged in .
> > But ist her a way to configure the system to only boot with stick ?
> > because
> > if i unplug the stick the system ask für passphrase.
> > 
> > But i want a system only works with stick and no way to do a other
> > boot.
> 
> Not sure what exactly you want:
>  
> You can simply install your bootloader, kernel and initramfs on the USB
> stick (along with any keys needed for decryption).
> 
> Most BIOSes/UEFIs support booting from USB.
> 
> That way, an attacker cannot mess with these parts, which would
> otherwise be completely open.
> Of course a powerful enough attacker could still replace your firmware.
> And of course this only makes sense if you then keep your USB stick
> with you "all the time".

I did a scenario where the boot-stick was in a safe 
woth limited access in an office.

That was a special case with a hard-coded disc-encryption 
password that was only on the stick. The idea was that 
a trusted non-IT person could reboot the server if needed
and then lock up the stick again. The implementation was
via a custom initrd, which is really not that hard to do.
Essentially you just change the boot-script called by
init in there. (No idea what Systemd requires though, I do
not use it.)

Arno 
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: Boot with encrypted disk but only with USB Stick

[Michael Kjörling]

On 4 Mar 2025 11:19 +0100, from dnichterwitz@m4com.de (Dirk Nichterwitz):
> I have configured my system to boot a luks encrypted harddisk. I addes a
> keyfile on a usb stick and this works to boot automaticaly when plugged in .
> But ist her a way to configure the system to only boot with stick ? because
> if i unplug the stick the system ask für passphrase.

To cryptsetup, a key file (in the sense of its --key-file parameter;
not --volume-key-file/--master-key-file) _is_ a passphrase. See
cryptsetup-open(8) under OPTIONS.

So you will need something outside of cryptsetup to detect whether the
USB stick is plugged in and if not, stop the boot process and/or
prompt to insert the USB stick, before the boot process gets to the
point of unlocking the container. Exactly how to do that will depend
on your distribution and init system, but as Arno suggested, will
likely involve tweaking the initrd. For example, on a Debian-based
system, you'd likely start out somewhere under /etc/initramfs-tools.

Note that doing this won't add any security compared to your current
situation; anyone who wants to attack the container can still do so
normally, because they can either remove the storage device or make a
full-disk copy of it and attack that with no regard to your boot
scripts.

-- 
Michael Kjörling
🔗 https://michael.kjorling.se