0

A Linux machine has a partition with sensitive data. The goal is to prevent one from booting up from a live usb and mounting the machine's hard drive and copying the data.
The partition is encrypted with cryptsetup. But it has to get decrypted on boot. So a key file is created to hold the password. The key is added to LUKS:

sudo cryptsetup luksAddKey <encrypted_device> <path_to_key>

For the system to find it on boot, the key file is linked in the /etc/crypttab:

$ sudo nano /etc/crypttab
# Content of the crypttab file
cryptpart    UUID=<partition_uuid>    <path_to_key>    luks

Reference

Question
Using a live USB, one can read the /etc/crypttab and find the path of the key file and break the lock.
What is the solution?

afar
  • 71

1 Answers1

2

What you have essentially described is keeping the key next to the lock. It's convenient, but you are correct that it's not secure.

Ideally, you should store the keyfile on a different device. Preferably hardware (like a USB stick) that is securely stored separately from the encrypted system.

This scenario is not a failure of the design of Linux encryption nor the design of Ubuntu. The developers did their part properly. It's a failure by the human admin of that system to do their part, and cannot be readily solved by software.

user535733
  • 68,493