I am going to install Linux the LUKS/LVM way, in order to have an encrypted disk.

In addition, I would like to put the header and passphrase in a USB Key.

Thus, instead of entering the passphrase, I only plug the USB drive dongle.

Is it possible and how?

1

1 Answer

I am writing now from the machine that works exactly that way.

1. First, you will need to put whole /boot folder on the dongle.
2. Encrypt the disk with key file and put the keyfile into the boot dongle too.

3. Edit /etc/crypttab, add this line

   sda2_crypt UUID=14-88 /dev/disk/by-uuid/88-14:/rootfs.key luks,keyscript=/lib/cryptsetup/scripts/passdev

where sda2_crypt is arbitrary name, first UUID is of encrypted root partition, second - of dongle partition and rootfs.key is the keyfile name.

4. Then Update your /etc/fstab accordingly.
5. Mount dongle as /boot and do update-initramfs

This should be enough. Different instructions suggest you to add kernel boot arguments, but in my case it worked without.If you ever want to use password instead of keyfile, just edit /etc/crypttab and do update-initramfs.

10

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy