Re: Decrypt Ubuntu Root with Key-file on USB

Top Page
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash via PLUG-discuss
To: Main PLUG discussion list
CC: Michael Butash
Subject: Re: Decrypt Ubuntu Root with Key-file on USB
I saw this pop up on last week, using a yubikey to
unlock your drives I found interesting and intend to try with a new
hardware device. I use luks extensively today, but have not done so with
full systemd integration, so this is a cool evolutionary mechanism I've
been waiting for to include hardware crypto keys. Not quite a plain-jane
usb disk, but but a yubikey can be had cheap for what we do.

I've been using my yubikey with keepassxc past year or so, and would like
to do so with my hard drive encryption as well, so I would say start here.
Should be fairly agnostic between ubuntu and arch. I use arch, so will see
if/when I get around to rebuilding my existing system or a new box.


On Fri, Feb 5, 2021 at 8:18 AM Sebastian via PLUG-discuss <
> wrote:

> Is anyone familiar with how to boot Ubuntu, and make grub use the key-file
> on the USB that is plugged into it?
> I'm trying to not need to type in the password on the device when it
> boots, but still have an encrypted root partition.
> If not, how do people keep drives encrypted in production environments
> when using Ubuntu? (Could answer this as well, "if so", since this is just
> my guess for what production environments use)
> (because this is what online searches bring)
> I do *not *mean:
> Boot from an encrypted USB.
> Decrypt and mount an encrypted volume at boot *AFTER* typing in the
> decryption password for root once already.
> Encrypt boot partition as well as root.
> Everything I found online was one of the above three things, or is Arch
> and doesn't apply to Ubuntu.
> I thought "eh, just do it the same way as Arch in boot parameters, as they
> both use grub, right?", but that didn't work...
> (cryptkey=devID:filesystem:fileLocation cryptdevice=devID:decrypt_root
> root=/dev/mapper/decrypt_root => update-grub)
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:

PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings: