Re: system drive encryption question
On Apr 5, 2017, at 4:31 PM, FHDATA <fhdata@unm.edu> wrote:
> hello,
>
> I am not currently using debian as linux OS but
> considering it ...
>
>
> If I clean install debian (latest of course) and during
> the install process have its / (system drive)
> encrypted with pass-phrase ....
>
> then later on, can I add a key, residing on
> a usb flash drive, to that encryption?
>
> if yes, is there a step-by-step method one can follow to do that?
>
>
>
> thank you,
> F-
I used to do this. It worked very well before Jessie came along.
You need an un-encrypted /boot partition to hold the kernel and initrd, of course…
With the introduction of systemd in Jessie, the mechanism that ran a script to get a password to decrypt the root disk[1] got broken. I don’t think there was anything about systemd in particular that made it impossible, it just wasn’t at the top of the developer’s priority list to implement that feature.
I suspect it would not be difficult to implement such a feature again under recent systemd versions, but nobody’s done it yet — at least as far as I know.
If I take a stab at implementing such a feature, would you be interested in helping?
Enjoy!
Rick
[1] In my case the script looked for a USB drive with a given label, mounted it, read the key from a file it found there, then unmounted the USB drive so it could be removed by the sysop for safe-keeping until the next reboot.
Reply to: