Fedora 30 : add additional USB keyfile for root LUKS decryption

Hi everyone !

I have a laptop with a fresh install of Fedora 30 with

  • a LUKS 2 encrypted LVM on an SSD,
  • an additional LUKS 2 encrypted HDD for data

I added the second drive to fstab/crypttab and both are automatically decrypted on boot because they have the same password and as I understand plymouth passes on the entered password to all mapped luks volumes, so I do not use any keyfile.

I would like to be able to ALSO boot the system using just a USB key with a keyfile on it, without entering a password. All the guides that I found were outdated or involved creating scripts (not sure how those survive system upgrades) or modifying the crypttab entry to search for the keyfile, (thus losing password login), or booting from the USB which is not convenient… is there a native way to do this, using LUKS keyslot features ? like just adding the usb to FSTAB and adding a keyfile on it mapped to the luks keyslots ?

thanks everyone !

Hi @anon80987096! Welcome to the community! Please do take a few minutes to go over the introductory posts in #start-here when you have the time. They contain lots of useful information.

As far as I know, the keyfile gets added to a free keyslot with cryptsetup luksAddKey command almost exactly so as with a passphrase, look here:

I’ve never done it, I’ve used LUKS drives with passphrases (and used additional passphrases too), not with keys. But I think the problem is not adding the key to the keyslot.

It looks like /etc/crypttab is used by default in Fedora to decrypt LUKS drives at boot time, and it looks like it can be configured either to ask for passphrase or to read it from a keyfile, but not both.

So it looks like there’s no easy way to achieve this. If you’re open to suggestions and want to try something more hackish yourself then, I think, there could be options to try (with no guarantee for them to work though).

1 Like


thanks for your answer !

too bad then… I’d rather avoid “hackish” tips because I’m afraid of how these survive system upgrades… but’s ok, I’ll just print out a password and that’ll replace the backup USB :wink:

thanks, bye !

If you need it just for backup, not as your main unlocking device, then you may do it like this.

Use simpler and easier to enter every time (but not too easy, you do understand!) password as your main one, never write in down or print it so that it couldn’t fall in the wrong hands.

Make a backup password (several, if you need) longer and harder to remember – best of all use password generator to make it complete gibberish, – print it, test it (!) and then store it securely.

It won’t provide more security in the end, except than if someone sees your backup password, at least they won’t know your main one. And just seeing it briefly won’t help them remember backup password, if it’s unmemorable gibberish.

Sorry to bother you as this isn’t an answer but could you link me to where you read about modifying the “crypttab entry to search for the keyfile”? I’m looking for something like this but I can’t find it.

sorry to read you so late

what exactly are you trying to achieve?

I think I wanted it to search flash drives for a key file with a specific file name and avoid having to specify a path and UUID but I expect this isn’t really possible now. In the end I managed to get is to use any drive based on its label rather than UUID (using the boot parameter “rd.luks.key=‘path to keyfile on device’:LABEL=‘partition LABEL where the key is located’”) and this is more or less what I wanted however I would like the partition to be invisible to windows. Thanks for getting back to me :+1: