As we grow old, so do our computing machines. And just like we don’t decommission ourselves, so should be the case of the machines. They should be semi-retired, delegating major tasks to newer machines while they can still serve some less demaning work: File Servers, UPNP Servers et cetera.
It is common on a Debian installer based derivative, and otherwise too, to use block encryption on Linux. With machines from this decade, I think we’ve always had CPU extension for encryption.
So, as would be the usual case, all my laptops are block encrypted. But as they reach the phase of their life to retire and serving as a headless boss, it becomes cumbersome to keep feeding it a password and all the logistics involved to feed it. As such, I wanted to get rid of feeding it the password.
Then, there’s also the case of bad/faulty hardware, many of which mostly can temporarily fix their functionality when reset, which usually is to reboot the machine. I still recollect words of my Linux Guru - Dhiren Raj Bhandari - that many of the unexplainable errors can be resolved by just rebooting the machine. This was more than 20 years ago in the prime era of Microsoft Windows OS and the context back then was quite different, but yes, some bits of that saying still apply today.
So I wanted my laptop, which had LUKS set up for 2 disks, to go password-less now. I stumbled across a slightly dated article where the author achieved similar results with keyscript. So the thing was doable.
To my delight, Debian cryptsetup has the best setup and documentation in place to do it with just adding keyfiles
rrs@lenovo:~$ dd if=/dev/random of=sda7.key bs=1 count=512
512+0 records in
512+0 records out
512 bytes copied, 0.00540209 s, 94.8 kB/s
19:19 ♒♒♒ ☺ 😄
rrs@lenovo:~$ dd if=/dev/random of=sdb1.key bs=1 count=512
512+0 records in
512+0 records out
512 bytes copied, 0.00536747 s, 95.4 kB/s
19:20 ♒♒♒ ☺ 😄
rrs@lenovo:~$ sudo cryptsetup luksAddKey /dev/sda7 sda7.key
[sudo] password for rrs:
Enter any existing passphrase:
No key available with this passphrase.
19:20 ♒♒♒ ☹ 😟=> 2
rrs@lenovo:~$ sudo cryptsetup luksAddKey /dev/sda7 sda7.key
Enter any existing passphrase:
19:20 ♒♒♒ ☺ 😄
rrs@lenovo:~$ sudo cryptsetup luksAddKey /dev/sdb1 sdb1.key
Enter any existing passphrase:
19:21 ♒♒♒ ☺ 😄 and the nice integration in crypttab to ensure your keys propagate to initramfs
rrs@lenovo:~$ cat /etc/cryptsetup-initramfs/conf-hook
#
# Configuration file for the cryptroot initramfs hook.
#
#
# KEYFILE_PATTERN: ...
#
# The value of this variable is interpreted as a shell pattern.
# Matching key files from the crypttab(5) are included in the initramfs
# image. The associated devices can then be unlocked without manual
# intervention. (For instance if /etc/crypttab lists two key files
# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
# to add them to the initrd.)
#
# If KEYFILE_PATTERN if null or unset (default) then no key file is
# copied to the initramfs image.
#
# Note that the glob(7) is not expanded for crypttab(5) entries with a
# 'keyscript=' option. In that case, the field is not treated as a file
# name but given as argument to the keyscript.
#
# WARNING: If the initramfs image is to include private key material,
# you'll want to create it with a restrictive umask in order to keep
# non-privileged users at bay. For instance, set UMASK=0077 in
# /etc/initramfs-tools/initramfs.conf
#
KEYFILE_PATTERN="/etc/luks/sd*.key"
19:44 ♒♒♒ ☺ 😄 The whole thing took me around 20-25 minutes, including drafting this post. From Retired Head and Password Prompt to Headless and Password-less. The beauty of Debian and FOSS