| Apache/2.4.7 (Ubuntu) Linux sman1baleendah 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 uid=33(www-data) gid=33(www-data) groups=33(www-data) safemode : OFF MySQL: ON | Perl: ON | cURL: OFF | WGet: ON > / usr / share / doc / cryptsetup / | server ip : 172.67.156.115 your ip : 172.70.130.210 H O M E |
| Filename | /usr/share/doc/cryptsetup/README.gnupg |
| Size | 1.59 kb |
| Permission | rw-r--r-- |
| Owner | root : root |
| Create time | 27-Apr-2025 10:01 |
| Last modified | 02-Nov-2013 00:57 |
| Last accessed | 06-Jul-2025 21:20 |
| Actions | edit | rename | delete | download (gzip) |
| View | text | code | image |
using GnuPG keys for LUKS dm-crypt devices in Debian
----------------------------------------------------
The Debian cryptsetup package provides the keyscript decrypt_gnupg for setups
with a GnuPG encrypted LUKS keyfile.
The following example assumes that you store the encrypted keyfile in
/etc/keys/cryptkey.gpg. LUKS device is /dev/<luks_device>.
First, you'll have to create the encrypted keyfile:
# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
Next the LUKS device needs to be formated with the key. For that, the
decrypt_gnupg keyscript can be used:
# /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/<luks_device>
In order to unlock the encrypted LUKS device automatically during boot process,
add the following to /etc/crypttab:
cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg
encrypted root filesystem with GnuPG key
----------------------------------------
In case that you want to encrypt the root filesystem with a GnuPG encrypted key,
the provided initramfs hooks should do all additionally required work for you
when the initramfs is created or updated.
Be warned though, that the GnuPG key for encrypted root is copied to the
initramfs by the initramfs cryptgnupg hook. If you don't want your GnuPG key
inside the initramfs, you should take a look at the initramfs cryptgnupg hook,
which is located at /usr/share/initramfs-tools/hooks/cryptgnupg.
----------------------------------------------------
The Debian cryptsetup package provides the keyscript decrypt_gnupg for setups
with a GnuPG encrypted LUKS keyfile.
The following example assumes that you store the encrypted keyfile in
/etc/keys/cryptkey.gpg. LUKS device is /dev/<luks_device>.
First, you'll have to create the encrypted keyfile:
# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
Next the LUKS device needs to be formated with the key. For that, the
decrypt_gnupg keyscript can be used:
# /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/<luks_device>
In order to unlock the encrypted LUKS device automatically during boot process,
add the following to /etc/crypttab:
cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg
encrypted root filesystem with GnuPG key
----------------------------------------
In case that you want to encrypt the root filesystem with a GnuPG encrypted key,
the provided initramfs hooks should do all additionally required work for you
when the initramfs is created or updated.
Be warned though, that the GnuPG key for encrypted root is copied to the
initramfs by the initramfs cryptgnupg hook. If you don't want your GnuPG key
inside the initramfs, you should take a look at the initramfs cryptgnupg hook,
which is located at /usr/share/initramfs-tools/hooks/cryptgnupg.