I saw this pop up on news.ycombinator.com last week, using a yubikey to unlock your drives I found interesting and intend to try with a new hardware device.  I use luks extensively today, but have not done so with full systemd integration, so this is a cool evolutionary mechanism I've been waiting for to include hardware crypto keys.  Not quite a plain-jane usb disk, but but a yubikey can be had cheap for what we do.

http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

I've been using my yubikey with keepassxc past year or so, and would like to do so with my hard drive encryption as well, so I would say start here.  Should be fairly agnostic between ubuntu and arch.  I use arch, so will see if/when I get around to rebuilding my existing system or a new box.

-mb


On Fri, Feb 5, 2021 at 8:18 AM Sebastian via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:

Is anyone familiar with how to boot Ubuntu, and make grub use the key-file on the USB that is plugged into it?
I'm trying to not need to type in the password on the device when it boots, but still have an encrypted root partition.
If not, how do people keep drives encrypted in production environments when using Ubuntu? (Could answer this as well, "if so", since this is just my guess for what production environments use)

(because this is what online searches bring)
I do not mean:
Boot from an encrypted USB.
Decrypt and mount an encrypted volume at boot AFTER typing in the decryption password for root once already.
Encrypt boot partition as well as root.

Everything I found online was one of the above three things, or is Arch and doesn't apply to Ubuntu.

I thought "eh, just do it the same way as Arch in boot parameters, as they both use grub, right?", but that didn't work...
(cryptkey=devID:filesystem:fileLocation cryptdevice=devID:decrypt_root root=/dev/mapper/decrypt_root => update-grub)

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss