I needed a offline solution to keep my key file secure on the work computer where I can’t use the pen drive or any other external storage, but I’m allowed to use the webcam, which requires the password to be at least 500 characters long, which is obviously tedious to write manually, the only solution that came to mind was the QR Code which is capable of holding long passwords.
The tools used in this tutorial are:
- zbar-tools, for scanning the QR Code via webcam.
- LUKS via cryptsetup, for managing encrypted file container.
Write the script, customise it to your liking, follow the preparation, and finally execute unlock_crypto.sh and scan
the QR Code should unlock the encrypted file container.
Script
getpass.sh
#!/bin/dash
cd $XDG_RUNTIME_DIR
touch passwd.txt
chmod 600 passwd.txt
# Scan the QR Code, store password to RAM, always volatile for temporary files.
zbarcam --raw -1 > passwd.txt
open.sh
#!/bin/dash
cryptsetup open --type luks ${1}/.usr/img/crypto.img crypto --key-file /run/${2}/passwd.txt
mount -t ext4 /dev/mapper/crypto ${1}/.key
clearpass.sh
#!/bin/dash
cd $XDG_RUNTIME_DIR
rm -rf /crypt
unlock_crypto.sh
#!/bin/dash
cd /home/cjjackson/.usr/libexec/crypt
./getpass.sh || exit 1
sudo ./open.sh $HOME $XDG_RUNTIME_DIR || exit 1
./clearpass.sh
lock_crypto.sh
#!/bin/dash
umount $HOME/.key
cryptsetup close crypto
Preparation
# Get password
./getpass.sh
# Create the container
dd if=/dev/urandom of=$HOME/.usr/img/crypto.img bs=1G count=1 iflag=fullblock
# Format the container
cryptsetup luksFormat $HOME/.usr/img/crypto.img --key-file $XDG_RUNTIME_DIR/passwd.txt
# Open the container
sudo cryptsetup open --type luks $HOME/crypto.img crypto --key-file $XDG_RUNTIME_DIR/passwd.txt
# Format to ext4
sudo mkfs.ext4 /dev/mapper/crypto
# Close the container
sudo cryptsetup close crypto
# Clear Pass
./clearpass.sh
Note
You may need to change the ownership of the mounted folder.
sudo chown cjjackson:cjjackson /home/cjjackson/.key
I used qrencode to create the QR Code and save it to my phone.