Here is how to decrypt the root partition at boot time automatically on Ubuntu (and Debian-derivatives).
Warning: this is not a good security practice. Anyone who can physically access your computer can find the decryption key and therefore access your data.
In the example below, the encrypted partition is /dev/vda3
, replace it with your own.
Find the key size in bits:
cryptsetup luksDump /dev/vda3 | grep 'Key:'
Key: 512 bits
Create a random key of 512 bits or 64 bytes using dd:
dd if=/dev/urandom bs=1 count=64 of=/etc/cryptroot.key
chmod 600 /etc/cryptroot.key
Allow the key to decrypt the partition:
cryptsetup luksAddKey /dev/vda3 /etc/cryptroot.key
Write a keyscript file to output the key at boot time:
echo "cat /etc/cryptroot.key" > /lib/cryptsetup/scripts/keyscript
chmod 700 /lib/cryptsetup/scripts/keyscript
Write a hook for initramfs-tools
to copy the key file to the initramfs:
cp /etc/cryptroot.key $DESTDIR/etc/cryptroot.key
Edit /etc/crypttab
to specify the keyfile and the keyscript. In the 3rd column, add the path to the key file. In the 4th column, add keyscript=keyscript
. Note that keyscript
here is a file relative to /lib/cryptsetup/scripts
.
dm_crypt-0 UUID=xxxx /etc/cryptroot.key luks,discard,keyscript=keyscript
Update your initramfs:
update-initramfs -k all -u
Reboot. The computer should not ask you a password to decrypt the disk.
Source with error handling scripts: https://devork.be/blog/2016/12/encrypted-root-on-debian-with/