Hi everyone !
I have a laptop with a fresh install of Fedora 30 with
- a LUKS 2 encrypted LVM on an SSD,
- an additional LUKS 2 encrypted HDD for data
I added the second drive to fstab/crypttab and both are automatically decrypted on boot because they have the same password and as I understand plymouth passes on the entered password to all mapped luks volumes, so I do not use any keyfile.
I would like to be able to ALSO boot the system using just a USB key with a keyfile on it, without entering a password. All the guides that I found were outdated or involved creating scripts (not sure how those survive system upgrades) or modifying the crypttab entry to search for the keyfile, (thus losing password login), or booting from the USB which is not convenientā¦ is there a native way to do this, using LUKS keyslot features ? like just adding the usb to FSTAB and adding a keyfile on it mapped to the luks keyslots ?
thanks everyone !
Hi @anon80987096! Welcome to the community! Please do take a few minutes to go over the introductory posts in #start-here when you have the time. They contain lots of useful information.
As far as I know, the keyfile gets added to a free keyslot with cryptsetup luksAddKey command almost exactly so as with a passphrase, look here:
Iāve never done it, Iāve used LUKS drives with passphrases (and used additional passphrases too), not with keys. But I think the problem is not adding the key to the keyslot.
It looks like /etc/crypttab is used by default in Fedora to decrypt LUKS drives at boot time, and it looks like it can be configured either to ask for passphrase or to read it from a keyfile, but not both.
So it looks like thereās no easy way to achieve this. If youāre open to suggestions and want to try something more hackish yourself then, I think, there could be options to try (with no guarantee for them to work though).
1 Like
Hi,
thanks for your answer !
too bad thenā¦ Iād rather avoid āhackishā tips because Iām afraid of how these survive system upgradesā¦ butās ok, Iāll just print out a password and thatāll replace the backup USB 
thanks, bye !
If you need it just for backup, not as your main unlocking device, then you may do it like this.
Use simpler and easier to enter every time (but not too easy, you do understand!) password as your main one, never write in down or print it so that it couldnāt fall in the wrong hands.
Make a backup password (several, if you need) longer and harder to remember ā best of all use password generator to make it complete gibberish, ā print it, test it (!) and then store it securely.
It wonāt provide more security in the end, except than if someone sees your backup password, at least they wonāt know your main one. And just seeing it briefly wonāt help them remember backup password, if itās unmemorable gibberish.
Sorry to bother you as this isnāt an answer but could you link me to where you read about modifying the ācrypttab entry to search for the keyfileā? Iām looking for something like this but I canāt find it.
sorry to read you so late
what exactly are you trying to achieve?
I think I wanted it to search flash drives for a key file with a specific file name and avoid having to specify a path and UUID but I expect this isnāt really possible now. In the end I managed to get is to use any drive based on its label rather than UUID (using the boot parameter ārd.luks.key=āpath to keyfile on deviceā:LABEL=āpartition LABEL where the key is locatedāā) and this is more or less what I wanted however I would like the partition to be invisible to windows. Thanks for getting back to me 