How to have a root LUKS partition decrypted without a password

Environment

• Red Hat Enterprise Linux

Issue

• How can we use keys at boot time to auto-decrypt a root filesystem residing on an encrypted LUKS volume (without requiring passphrase entry)?

Resolution

WARNING:

• Having a root device that auto-decrypts at boot time in the following manner requires inserting UN-ENCRYPTED key material into an initramfs file in the boot filesystem (/boot)

• An attacker that gets access to the storage for such a system could easily extract the key (file) from the initramfs found on the UN-ENCRYPTED boot filesystem and use it to open the encrypted root device

Note: The following solution is only possible in Red Hat Enterprise Linux 6 using package dracut-004-336.el6 or above (as first shipped in RHEL 6.5); it will never be possible in Red Hat Enterprise Linux 5 and below.
Note: For the steps to configure encrypted swap with random keys, please refer to kbase How to configure encrypted swap.

1. Encrypt root device at install time via anaconda

2. Create a key, e.g., something like the following:

   • dd if=/dev/random bs=32 count=1 of=/root/.keyfile
   • printf 'this could be the same passphrase used in anaconda' >/root/.keyfile

3. [Optional] Set restrictive permissions on keyfile, e.g.:

   • chmod 0 /root/.keyfile

4. Add key to device, e.g., something like the following:

   • cryptsetup luksAddKey /dev/volgroup/lv_root /root/.keyfile
   • cryptsetup luksAddKey /dev/sda2 /root/.keyfile

5. Modify /etc/crypttab to reference the key

   • This entails replacing the 3rd column (often "none") with path to key file
   • See man crypttab for more detail

6. Configure dracut to always include the keyfile when it builds initramfs, e.g.:

   • echo 'install_items+="/root/.keyfile /path/to/another/keyfile"' >>/etc/dracut.conf

7. Recreate the initramfs:

   • dracut -f

Root Cause

From the RHEL 6.5 Technical Notes:

> BZ#[886194](https://bugzilla.redhat.com/show_bug.cgi?id=886194)
> The dracut utility did not take into account all parameters of the /etc/crypttab file when setting up crypto devices. Consequently, options and file names in /etc/crypttab had no effect in initramfs. With this update, dracut passes options and file names to the cryptsetup tool when setting up crypto devices, and options and files in /etc/cryppttab are now applied correctly. 

Diagnostic Steps

• Example of running through this process:

  [root]# printf here is my additional password > .keyfile
    [root]# cryptsetup luksAddKey /dev/volgroup/lv_root .keyfile
    Enter any passphrase:
    [root]# chmod 0 .keyfile
    [root]# sed -i 1s,none,/root/.keyfile, /etc/crypttab
    [root]# cat /etc/crypttab
    luks-2317b46e-b282-497b-9bda-d068c45291ac UUID=2317b46e-b282-497b-9bda-d068c45291ac /root/.keyfile
    [root]# echo 'install_items+="/root/.keyfile"' >> /etc/dracut.conf
    [root]# tail -1 /etc/dracut.conf
    install_items+="/root/.keyfile"
    [root]# dracut -f
    [root]# lsinitrd /boot/initramfs* | grep /.keyfile
    ----------   1 root     root            4 Nov 22 15:47 root/.keyfile
    [root]# reboot
  
    Broadcast message from root@rhel65.sawzall
        (/dev/ttyS0) at 15:50 ...
  
    The system is going down for reboot NOW!
    ....
    sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
    Uniform CD-ROM driver Revision: 3.20
     vda: vda1 vda2
    dracut: Scanning devices vda2  for LVM logical volumes volgroup/lv_root 
    dracut: inactive '/dev/volgroup/lv_root' [4.88 GiB] inherit
    dracut: luksOpen /dev/mapper/volgroup-lv_root luks-2317b46e-b282-497b-9bda-d068c45291ac /root/.keyfile
    Clocksource tsc unstable (delta = -34359916986 ns)
    Intel AES-NI instructions are not detected.
    padlock: VIA PadLock not detected.
    EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts:
    dracut: Mounted root filesystem /dev/mapper/luks-2317b46e-b282-497b-9bda-d068c45291ac
    dracut: Loading SELinux policy
    type=1404 audit(1385154580.874:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
    type=1403 audit(1385154581.600:3): policy loaded auid=4294967295 ses=4294967295
    dracut:
    dracut: Switching root
    .....
  
    Red Hat Enterprise Linux Server release 6.5 (Santiago)
    Kernel 2.6.32-431.el6.x86_64 on an x86_64
  
    rhel65.sawzall login: root
    Password:
    Last login: Fri Nov 22 15:58:22 on tty1
    [root]# lsblk
    NAME                        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
    sr0                          11:0    1 1024M  0 rom
    vda                         252:0    0    6G  0 disk
    ├─vda1                      252:1    0  200M  0 part  /boot
    └─vda2                      252:2    0  4.9G  0 part
      └─volgroup-lv_root (dm-0) 253:0    0  4.9G  0 lvm
        └─luks-2317b46e-b282-497b-9bda-d068c45291ac (dm-1)
                                253:1    0  4.9G  0 crypt /
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.