[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Full disk encryption on Jessie - usb key and passphrase

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, May 29, 2017 at 03:36:44PM +0200, Прокси wrote:
> Hello,
> 
> I have laptop where I set up full disk encryption following this
> tutorial: 
> https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html
> 
> It works great, but since LUKS can have up to 8 key slots, I would like
> to add another way to decrypt the laptop: key on a external usb. So, if
> there is a usb with the key plugged in, laptop doesn't ask for the
> passphrase and just continue booting; if there isn't - it asks for the
> passphrase. Can this be done?

Never tried myself, but cryptsetup luksAddKey <device> should work.
Make a backup or... better, try first with a sacrificial device
(either a file you create with dd, like so

  dd if=/dev/zero of=my-file bs=4096 count=1024

or similar, or an USB stick). You then "cryptsetup luksFormat" it,
"cryptsetup luksOpen" it, make a file system on the corresponding
device (which will typically appear somewhere in /dev/mapper/) and
play around with it until you feel secure.

There are also cryptsetup luksHeaderBackup and luksHeaderRestore
subcommands which look useful in case of a mishap.

See the cryptsetup man page for details, and ask here if unsure.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlksc9cACgkQBcgs9XrR2kYN9QCfV3FKvA7wOco9PUKK+bgLnzuQ
EYYAniu6yGWJ9MYZG6pCuFB+GFJ9Rx7m
=vmuz
-----END PGP SIGNATURE-----
Reply to: