Ubuntu 22.04.1 LUKS + ZFS automatic USB unlock at boot
HTML-код
- Опубликовано: 8 сен 2024
- This video accompanies the how to guide on AskUbuntu…
askubuntu.com/...
This video explains how to automatically decrypt a Ubuntu 22.04 ZFS+LUKS encrypted installation on boot with a detected USB drive containing an unlock key.
Video covers the installation of Ubuntu 22.04 from scratch, setting an encryption passphrase, creating a keyfile, setting up a USB drive and editing the bootloader to allow for automatic reading of the USB drive on boot.
References and Thanks:
unlock-usb script:
gist.github.co...
tqdev.com (Maurits van der Schee)
tqdev.com/2022...
Shazam @ unix.stackexchange.com
unix.stackexch...
Michael S @ askubuntu.com
askubuntu.com/...
Amazing job
Ottima guida, grazie mille!
My only concern here is that if zfs script is updated it will overwrite your changes. Ive used yubikey to unlock drives but this requires LUKS2 which AFAIK installers do not have yet. Also ive used systemd services to mount NFS shares with key to unlock my ZFS partitions. But this was for additional drives, don't know if its possible with boot drives.
Absolutely correct. If the zfs script is updated then these steps need to be done again. This video accompanies the steps on AskUbuntu here: askubuntu.com/questions/1414617/configure-ubuntu-22-04-zfs-for-automatic-luks-unlock-on-boot-via-usb-drive
When you install Ubuntu with the "encrypted ZFS" option in the installer, it will use LUKS encryption and not the ZFS native encryption, right? 🤔
Tried to do this using kubuntu, unfortunately because it doesn't use ZFS, there wasn't a file there to modify. Decided to install ubuntu first to set this up, then install the KDE Plasma DE. It appears to of worked at first but unfortunately it is incredibly buggy.
Sorry buddy, unfortunately i've only done it with vanilla ubuntu using the exact steps shown in the video :(
@@barezina It wasn't actually as buggy as I first thought, the buggy issues I had was actually KDE plasma's fault but I fixed it. Great video by the way.
I'm surprised that the use of a USB key wasn't a default option to begin with. Because there are apparently services that exist (which uses an array of GPUs) to brute force LUKS passwords, I would have to write down the password anyway as it would be very long and impossible for a human to remember which would have the same "vulnerability" as carrying around a USB drive on you that unlocks your drive.