= KVM Host Booting from Luks Encryption = While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security. While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding! == Add a New Luks Key == Find yourself a good passphrase. {{{ echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32 }}} Add the New Key. {{{ cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 Enter any existing passphrase: }}} == Put the Key on an USB Storage Device == Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. {{{ dd if=/dev/urandom of=/dev/sde }}} Put the key on it. {{{ dd if=/root/install/luks/keyfile_md1 of=/dev/sde }}} == Using the Key == Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE` and `TARGET` to fit your system. `/root/install/luks/keyscript.sh` {{{#!highlight bash #!/bin/sh SOURCE="/dev/md1" TARGET="md1_crypt" while [ ! -e /dev/mapper/${TARGET} ] do while read a b c DEVICE do if [ ! -e /dev/mapper/${TARGET} ] then if [ -e /dev/${DEVICE} ] then #echo -n "$DEVICE " dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1 fi fi done