Unlock Silverblue LUKS at boot with USB drive

Hi, I’m attempting to configure Silverblue to unlock LUKS at boot with a USB drive. The keyfile lives on the root of the drive, which is formatted FAT32 and has a UUID of 9CC4-04CD. I’ve added the keyfile to the LUKS partition using cryptsetup. I’ve searched quite a bit and came to the following solution.


GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-1652b62b-760f-4a49-8a18-dcac880c6635 rd.luks.key=luks-1652b62b-760f-4a49-8a18-dcac880c6635=keyfile:UUID=9CC4-04CD rd.luks.options=keyfile-timeout=5s rhgb quiet"


luks-1652b62b-760f-4a49-8a18-dcac880c6635 UUID=1652b62b-760f-4a49-8a18-dcac880c6635 keyfile:UUID=9CC4-04CD discard,keyfile-timeout=5s


add_drivers+=" fat "
add_drivers+=" vfat "

I was originally having problems with grub2-mkconfig not applying the grub cmdline correctly, but turns out I needed to run rpm-ostree kargs --editor and add the kernel parameters there.

So now I’ve got the right grub cmdline and everything set up, but it’s still not working correctly.

I have a similar set up working on my Arch installation, but it’s using the standard encrypt mkinitcpio module, not sd-encrypt or dracut.

Any help would be great, thanks!

1 Like

Turns out the rd.luks.key parameter needed the raw UUID, not the mapped one.


in rpm-ostree kargs --editor worked perfectly.