Re: Full disk encryption on Jessie - usb key and passphrase
On 2017-May-29 21:17, tomas@tuxteam.de wrote:
> On Mon, May 29, 2017 at 03:36:44PM +0200, Прокси wrote:
> > Hello,
> >
> > I have laptop where I set up full disk encryption following this
> > tutorial:
> > https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html
> >
> > It works great, but since LUKS can have up to 8 key slots, I would like
> > to add another way to decrypt the laptop: key on a external usb. So, if
> > there is a usb with the key plugged in, laptop doesn't ask for the
> > passphrase and just continue booting; if there isn't - it asks for the
> > passphrase. Can this be done?
>
> Never tried myself, but cryptsetup luksAddKey <device> should work.
> Make a backup or... better, try first with a sacrificial device
> (either a file you create with dd, like so
>
> dd if=/dev/zero of=my-file bs=4096 count=1024
>
> or similar, or an USB stick). You then "cryptsetup luksFormat" it,
> "cryptsetup luksOpen" it, make a file system on the corresponding
> device (which will typically appear somewhere in /dev/mapper/) and
> play around with it until you feel secure.
>
> There are also cryptsetup luksHeaderBackup and luksHeaderRestore
> subcommands which look useful in case of a mishap.
>
> See the cryptsetup man page for details, and ask here if unsure.
>
I followed instructions from this[1] link and it worked.
https://stackoverflow.com/questions/19713918/how-to-load-luks-passphrase-from-usb-falling-back-to-keyboard
Reply to: