Auto-Unlock LUKS: Safe Boot Setup

TL;DR

This guide shows you how to automatically unlock a LUKS encrypted container on system boot without storing your password in plain text. We’ll use keyfiles and systemd for a secure setup.

Prerequisites

• You have a LUKS encrypted partition or file.
• You know the passphrase for your LUKS container.
• You have root access (sudo).

Step 1: Create a Keyfile

A keyfile is a random file that will be used to unlock your LUKS container instead of your password. This is much safer than storing the password directly.

1. Generate a strong keyfile:

   dd if=/dev/urandom of=/etc/luks-keyfile size=4096 count=1

   This creates a 4KB keyfile. You can increase the size for extra security, but 4KB is usually sufficient.

2. Restrict permissions on the keyfile so only root can read it:

   chmod 400 /etc/luks-keyfile

Step 2: Add the Keyfile to Your LUKS Container

Now, add the keyfile as a valid unlock method for your container.

1. Identify your LUKS device. Use

   lsblk

   or

   blkid

   to find it (e.g., /dev/sda2).

2. Add the keyfile:

   cryptsetup luksAddKey /dev/sda2 /etc/luks-keyfile

   Replace /dev/sda2 with your actual LUKS device.
   You will be prompted for your existing LUKS passphrase to confirm the operation.

Step 3: Create a systemd Unit File

systemd will handle unlocking the container during boot.

1. Create a new systemd unit file:

   sudo nano /etc/systemd/system/luks-auto-unlock.service

2. Paste the following content into the file, replacing YOUR_LUKS_DEVICE and YOUR_MOUNTPOINT with your actual values:

   [Unit]
   Description=Auto Unlock LUKS Container
   After=local-fs.target
   Before=cryptsetup.target
   Requires=cryptsetup.target
   
   [Service]
   Type=oneshot
   RemainAfterExit=yes
   ExecStart=/usr/bin/cryptsetup open YOUR_LUKS_DEVICE /dev/mapper/yourcontainer --key-file /etc/luks-keyfile
   ExecStop=/usr/bin/cryptsetup close yourcontainer
   
   [Install]
   WantedBy=multi-user.target

   Important: Change yourcontainer to a suitable name for the mapped device (e.g., ‘data’). This is what will appear in /dev/mapper.

3. Save and close the file.

Step 4: Enable and Start the Service

1. Enable the service to start on boot:

   sudo systemctl enable luks-auto-unlock.service

2. Start the service now:

   sudo systemctl start luks-auto-unlock.service

3. Check the status of the service to ensure it started successfully:

   sudo systemctl status luks-auto-unlock.service

   Look for ‘active (exited)’ in the output.

Step 5: Mount the Container

The service unlocks the container, but it doesn’t mount it. You need a separate unit or fstab entry to do that.

1. Option 1: systemd Unit File (Recommended for more control)
   Create another systemd unit file similar to luks-auto-unlock.service, but with an ExecStart command to mount the filesystem.
2. Option 2: fstab Entry (Simpler, but less flexible)
   Add a line to your /etc/fstab file:

   /dev/mapper/yourcontainer  YOUR_MOUNTPOINT  filesystem_type  defaults  0  2

   Replace yourcontainer and YOUR_MOUNTPOINT with the correct values. Replace filesystem_type with the actual filesystem type (e.g., ext4, xfs).

Step 6: Reboot and Verify

Reboot your system to confirm that the container unlocks automatically.

• After rebooting, check if the container is mounted correctly.
• If you used an fstab entry, verify it’s listed in

  mount

  .

Important Security Considerations

• Keep your keyfile secure! If someone gains access to the keyfile, they can unlock your container.
• Consider using a separate partition for the keyfile if possible.
• Regularly audit your system’s security.