LUKS encryption, header on a dongle USBdrive?

security encryption luks

Solution 1:

I am writing now from the machine that works exactly that way.

  1. First, you will need to put whole /boot folder on the dongle.
  2. Encrypt the disk with key file and put the keyfile into the boot dongle too.

  3. Edit /etc/crypttab, add this line

    sda2_crypt UUID=14-88 /dev/disk/by-uuid/88-14:/rootfs.key     luks,keyscript=/lib/cryptsetup/scripts/passdev

where sda2_crypt is arbitrary name, first UUID is of encrypted root partition, second - of dongle partition and rootfs.key is the keyfile name.

  1. Then Update your /etc/fstab accordingly.
  2. Mount dongle as /boot and do update-initramfs

This should be enough. Different instructions suggest you to add kernel boot arguments, but in my case it worked without.If you ever want to use password instead of keyfile, just edit /etc/crypttab and do update-initramfs.

Related

enable X display access for local user
Automatically add users to groups
My Mac does "copy on select" - how to disable it?
iPhone asks for Apple ID password on third party app launch after iTunes sync
How many different images are there in a dynamic wallpaper?
Send Barcode Scan to URL
How do I see the queue of untagged faces in the 2015 Mac Photos App?
Spawning multiple instances of applications via shortcuts
Am I still on iOS 13 beta?
Can you just use one side of Airpods and leave the other side at home?
macOS Catalina beta could not be verified
iPad (12.3.1) not trusting certificate even after root cert has been added