3

Some time ago I installed a linux Pop-OS (based on Ubuntu 20.04). All good so far. It's my secondary play-around box. I installed it with fulldisk encryption which prompts for a passphrase to decrypt and boot.

I now want to convert this thing to a mediacenter which boots directly into kodi. It wouldn't even have a screen connected.

So the question is, can this be done so that the boot process doesn't require to enter the encryption key?

I know this kinda defeats the purpose of encryption, the reason here is actually only that I would want to avoid having to reinstall everything...

Improve this question
4
  • 1
    Does this answer your question? How to remove LUKS encryption? Commented Nov 22, 2021 at 15:24
  • It seems to suggest to reformat. If I have to do that I would reinstall from scratch, rather. But thanks. Commented Nov 22, 2021 at 15:47
  • How about automatically unlocking the encrypted disk with a key file? See howtoforge.com/… Commented Nov 22, 2021 at 18:52
  • 1
    Yep tried that following this tutorial: golinuxcloud.com/mount-luks-encrypted-disk-partition-linux but didn't work for me. I guess the reason was that because the full disk is encrypted, there's no /root yet on the file system to access the keyfile. Also tried with /boot which I hoped to be there but no joy either. Commented Nov 22, 2021 at 19:13

5 Answers 5

Reset to default
4

Although you have found a solution for yourself, by removing the encryption all together. Sometimes it is useful to have encryption, but to have it mounted without entering the password (what your question actually asked about). In my setup i have one disk, where i enter the password, but then the second disk is mounted without the password, by using a keyfile on the first disk.

To do that you first add a keyfile:

cryptsetup luksAddKey /dev/sdaX /path/.large-keyfile

and then put the following in the /etc/crypttab

some_name_crypt UUID=123-uid-here-123 /path/.large-keyfile luks,discard

In order to generate keyfile you could do something like:

dd if=/dev/random of=/path/.large-keyfile bs=1024 count=1024

Make sure that /path is in the non-encrypted part of the disk. Perhaps inside /boot. Or in the part that is available through some other means.

Also note that you will need to regenerate bootup files, since you have edited crypttab.

Improve this answer
3
  • You're right my question actually asked for something else. Unfortunately I already can't try your solution, but thanks a lot for posting it nonetheless. Commented Nov 23, 2021 at 17:24
  • 1
    @transient_loop Not a problem, i understood that. I was just sure that there'll be other people that will find your question and will want to see several approaches. This is not just a forum, but a site for technical answers after all. Commented Nov 23, 2021 at 18:11
  • Also note that you will need to regenerate bootup files, since you have edited crypttab.: how exactly? Note: I just made my system unbootable after running update-initramfs -u. Commented Nov 6, 2022 at 13:10
2

By chance I stumbled upon this answer: https://askubuntu.com/a/1335140

That did it indeed for me!

Basically:

  • Boot from a USB stick
  • Run sudo cryptsetup-reencrypt --decrypt /dev/sda2 (use your own drive)

I had to then fix the fstab for a faster boot, but that worked!

Improve this answer
1

I now want to convert this thing to a mediacenter which boots directly into kodi. It wouldn't even have a screen connected.

A safer alternative to your approach is to set up initramfs-dropbear. At boot time an SSH server will be started, where you can connect to with any SSH client e.g. PuTTY on Windows or OpenSSH on Linux based OSs.

To do this:

  • $ sudo apt install dropbear-initramfs
  • Edit /etc/initramfs-tools/initramfs.conf to include set IP address information, e.g. IP=10.0.0.2::10.0.0.1:255.255.255.0:serverhost
  • Potentially/preferably set up public key authentication
  • Connect via SSH to 10.0.10.2 whenever the server is (re)booted and enter your LUKS decryption key
Improve this answer
0

If you have a TPM 2.0 chip (or fTPM) inside your machine (which you probably do unless you are using something ancient), you really want to use TPM unlocking. It is the only reasonably secure and actually unmanaged solution.

Note: The boot chain can still be affected by a bootkit if you are not using secure boot with unified kernel images or if your UEFI is not password protected. Unfortunately there is no out of the box solution right now for this on any distro. On the Arch wiki you can find detailed guides on both topics. Fedora seems to have begun adopting it, that is the closest you can get right now to an actually secure unmanaged out of the box solution.

Improve this answer
0

If the encryption is meant to prevent a thief from having access to your data should the server be stolen one option is the combination of Clevis and Tang. This allows a computer booting on your network to retrieve the disk encryption key from a key server. For this you need something to act as a key server. There are many options here but something as simple as a Raspberry Pi Zero W could be the server.

Tang is a lightweight key server. Clevis is a program that, in combination with Dracut, can create a boot image that can unlock LUKS disks by getting a key from a Tang server.

This setup works to protect data from physical theft. The idea being that the thief could either not take (or find) the key server, or if they did, it would also be locked (a server requiring unlocking to start). It does not help if the attacker can get onto your network.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.