Re: system drive encryption question

[Rick Thomas <rbthomas@pobox.com>]

On Apr 5, 2017, at 4:31 PM, FHDATA <fhdata@unm.edu> wrote:
> hello,
> 
> I am not currently using debian as linux OS but
> considering it ...
> 
> 
> If I clean install debian (latest of course) and during
> the install process have  its / (system drive)
> encrypted with pass-phrase ....
> 
> then later on, can I add a key, residing on
> a usb flash drive,  to that encryption?
> 
> if yes, is there a step-by-step method one can follow  to do that?
> 
> 
> 
> thank you,
> F-

I used to do this.  It worked very well before Jessie came along.

You need an un-encrypted /boot partition to hold the kernel and initrd, of course…

With the introduction of systemd in Jessie, the mechanism that ran a script to get a password to decrypt the root disk[1] got broken.  I don’t think there was anything about systemd in particular that made it impossible, it just wasn’t at the top of the developer’s priority list to implement that feature.

I suspect it would not be difficult to implement such a feature again under recent systemd versions, but nobody’s done it yet — at least as far as I know.

If I take a stab at implementing such a feature, would you be interested in helping?

Enjoy!
Rick

[1] In my case the script looked for a USB drive with a given label, mounted it, read the key from a file it found there, then unmounted the USB drive so it could be removed by the sysop for safe-keeping until the next reboot.