This guide is known to work with Ubuntu 18.04, 20.04 and 22.04. You should be doing this setup as root, which is why I omitted sudo.
The idea here is that we’ll be copying the keyfile to the initramfs to automatically unlock the system drive, and once we want to destroy the data, instead of overwriting the entire drive, we’ll simply overwrite the boot partition multiple times. However, this does not work with flash storage!
In a default Ubuntu (encrypted) setup the main drive is encrypted using dm-crypt/luks and only the UEFI and boot partitions are clear.
By default, after installation you will be asked for your encryption passphrase which is of course the secure way to do things, especially on a laptop. But on a server this might be inconvenient, and if you’re still using an HDD you can simply overwrite the boot partition multiple times before decommissioning the drive. On flash storage, however, you do not have control over where files are written to internally so overwriting a single partition is meaningless and won’t guarantee destruction of the encryption key. Therefore, only do this with HDD drives!
Generating the key
First, we’ll create our folders and files and set up permissions:
mkdir /etc/luks
chmod 700 /etc/luks
touch /etc/luks/system.key
chmod 400 /etc/luks/system.key
Now we’ll generate a new key with:
dd if=/dev/urandom of=/etc/luks/system.key bs=4096 count=1
Note that using /dev/random
would be safer, but is blocking and could potentially take infinite time to generate the key, which is why I am using /dev/urandom
here. If you insist on using /dev/random
instead you should probably also add iflag=fullblock
to the command (to avoid skips).
Verify that only root can read the key:
ls -l /etc/luks/system.key
If you others can see the key, do:
chmod 400 /etc/luks/system.key
No other user should be able to read the encryption key!
Adding the key to LUKS
Now we’ll add the key to LUKS so that it can actually unlock the partition.
Replace /dev/sdX with the encrypted partition. You can figure this out by running:
lsblk -o +FSTYPE
And look for the partition of type crypto_LUKS
and then add the key to it with:
cryptsetup luksAddKey /dev/sdX /etc/luks/system.key
It will ask to enter any existing passphrase, do so and hit enter.
Setting up auto-unlock (initramfs)
First make sure you have cryptsetup-initramfs
installed:
apt install cryptsetup-initramfs
Now edit /etc/cryptsetup-initramfs/conf-hook
with your favourite editor like nano:
nano /etc/cryptsetup-initramfs/conf-hook
Uncomment KEYFILE_PATTERN=
and replace it with:
KEYFILE_PATTERN=/etc/luks/*.key
Save the file and exit. This will make sure all *.key files in /etc/luks/ will be copied to the initramfs.
Now do:
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
This will make sure the correct permissions are set when creating the initramfs.
Now edit /etc/crypttab with your favourite editor like nano:
nano /etc/crypttab
Where you might see an entry like:
dm_crypt-0 UUID=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee none luks
Replace “none” with the path of your key so it would be something like:
dm_crypt-0 UUID=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee /etc/luks/system.key luks
And then finally, we recreate the initramfs with:
update-initramfs -u -k all
You can now reboot and it should automatically unlock the drive!
Great guide, thank you!