Hello,
I have moved from an Arch Linux setup to Fedora Silverblue. On my previous Arch system, I had it set up so that I could unlock my full disk encryption by booting with a USB stick attached, with the USB stick containing a key file. If the USB stick was not connected, then I would be prompted for the passphrase like normal.
I set this up by following the Arch wiki’s instructions. To summarise, I had to add vfat
as an early boot module for the initial ramdisk, and then had to edit my Systemd-boot configuration file to add the following kernel command-line arguments:
cryptdevice=PARTUUID=(DISK_ID):lvm cryptkey=PARTUUID=(USB_ID):vfat:(KEY_FILE_PATH)
Now I am on Fedora Silverblue with GRUB, and have no previous experience with either. I have also not used Fedora Workstation before. I did a default installation via the installer, with full disk encryption and automatic partitioning. I therefore have a very typical install.
Could anyone please tell me what I need to do to set up something similar?
I took a look in my /boot/
directory and found a GRUB configuration file there, but it seems to use different kernel command-line arguments, such as rd.luks.uuid
instead of cryptdevice
. I’m not sure if this is the right place to touch, as I believe there may be a GRUB configuration file elsewhere in /etc/
from which the /boot/
one gets generated? I’m also not sure exactly what I would need to change.
I can also see that the /etc/crypttab
file contains an entry for the full disk encryption, and the crypttab man page contains some information on pointing to a key file, but it sounds like it just takes an absolute path and that there’s no way to specify a USB disk that isn’t already mounted.
Could anyone help me out here? Thanks in advance.