Full disk encryption: How can I automatically unlock via a USB key on Silverblue?

Hello,

I have moved from an Arch Linux setup to Fedora Silverblue. On my previous Arch system, I had it set up so that I could unlock my full disk encryption by booting with a USB stick attached, with the USB stick containing a key file. If the USB stick was not connected, then I would be prompted for the passphrase like normal.

I set this up by following the Arch wiki’s instructions. To summarise, I had to add vfat as an early boot module for the initial ramdisk, and then had to edit my Systemd-boot configuration file to add the following kernel command-line arguments:

cryptdevice=PARTUUID=(DISK_ID):lvm cryptkey=PARTUUID=(USB_ID):vfat:(KEY_FILE_PATH)

Now I am on Fedora Silverblue with GRUB, and have no previous experience with either. I have also not used Fedora Workstation before. I did a default installation via the installer, with full disk encryption and automatic partitioning. I therefore have a very typical install.

Could anyone please tell me what I need to do to set up something similar?

I took a look in my /boot/ directory and found a GRUB configuration file there, but it seems to use different kernel command-line arguments, such as rd.luks.uuid instead of cryptdevice. I’m not sure if this is the right place to touch, as I believe there may be a GRUB configuration file elsewhere in /etc/ from which the /boot/ one gets generated? I’m also not sure exactly what I would need to change.

I can also see that the /etc/crypttab file contains an entry for the full disk encryption, and the crypttab man page contains some information on pointing to a key file, but it sounds like it just takes an absolute path and that there’s no way to specify a USB disk that isn’t already mounted.

Could anyone help me out here? Thanks in advance.

Never mind. This has been solved: Full disk encryption: How can I automatically unlock via a USB key on Silverblue? - #4 by eskse

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.