selfjungle Just another WordPress weblog


LUKS with remote header, encrypted key

# create encrypted key
export GPG_TTY=$(tty) 
dd if=/dev/urandom bs=8388607 count=1 | gpg --symmetric --cipher-algo AES256 --output KEY.gpg
# allocate empty file for hader with size
truncate -s 2M HEADER.img

# NOTE: the LUKS header will be overriden with mkfs
gpg --decrypt KEY.gpg | cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --header HEADER.img --key-file - luksFormat DEV

#check result (instead of DEv it is the header)
cryptsetup luksDump HEADER.img

#add fallback password if the KEYFILE is lost (to the header not to DEV)
mkfifo /tmp/gpgpipe 
gpg --decrypt KEYFILE | cat - >/tmp/KEYFILE2
cryptsetup --key-file /tmp/KEYFILE2 luksAddKey HEADER.img

rm -vf /tmp/KEYFILE2

gpg --decrypt KEY.gpg  | cryptsetup --header HEADER.img --key-file - open DEV enc

# and close
cryptsetup close enc

Tagged as: Leave a comment
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment


No trackbacks yet.