15Feb/150
LUKS with remote header, encrypted key
# create encrypted key export GPG_TTY=$(tty) dd if=/dev/urandom bs=8388607 count=1 | gpg --symmetric --cipher-algo AES256 --output KEY.gpg # allocate empty file for hader with size truncate -s 2M HEADER.img #encrypt # NOTE: the LUKS header will be overriden with mkfs gpg --decrypt KEY.gpg | cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --header HEADER.img --key-file - luksFormat DEV #check result (instead of DEv it is the header) cryptsetup luksDump HEADER.img #add fallback password if the KEYFILE is lost (to the header not to DEV) mkfifo /tmp/gpgpipe gpg --decrypt KEYFILE | cat - >/tmp/KEYFILE2 cryptsetup --key-file /tmp/KEYFILE2 luksAddKey HEADER.img rm -vf /tmp/KEYFILE2 #open gpg --decrypt KEY.gpg | cryptsetup --header HEADER.img --key-file - open DEV enc # and close cryptsetup close enc
Leave a comment