How to non-interactively supply a passphrase to 'dmcrypt luksFormat'?

Question

I'm writing a script which automatically sets up testing environment virtual machines. This script should automatically format a dmcrypt+LUKS partition for me, with a certain passphrase. Because this is a local testing environment I don't care about the security of the passphrase, I just want the entire VM setup process to be automated and non-interactive.

How can I non-interactively supply a passphrase to 'dmcrypt luksFormat'? I want to use passphrases, not keys, because in production we use passphrases for LUKS as well.

Answer 1

The first thing to do is to call the right command: it's cryptsetup, not dmcrypt.

cryptsetup luksFormat /dev/vda2

The second thing is that you can pass another argument to read the passphrase from a file, or from standard input (using -).

echo -n "This isn't a very secure passphrase." | cryptsetup luksFormat /dev/vda2 -

Note that the -n flag is necessary in echo to prevent a line feed from being appended to the password.

See the cryptsetup man page for other ways to pass the key material in.

Answer 2

How to send passphrase with sudo

echo 'passphraze' | echo 'sudopass' | sudo -S cryptsetup luksOpen /dev/sda5 media -d -

Answer 3

If you are working in a Bash shell, you can use the Bash here-string, with the <<< operator, as follows:

Pass a raw string:

sudo cryptsetup luksFormat --type luks2 /dev/sda1 <<< 'your_passphrase'

Pass an environment variable:

sudo cryptsetup luksFormat --type luks2 /dev/sda1 <<< ${YOUR_PASSPHRASE}