Debian: Unlock LUKS root device on LVM by an USB key

2625 days ago 2 views arminpech.de www.arminpech.de
  • You want to unlock a system remotely during boot process.
  • Your root partition is a LVM volume.
  • Your LVM setup is fully encrypted with LUKS.
  • You’re running Debian on the remote system.

If your Linux is running on a disk with LUKS encryption and you’re annoyed to enter a passphrase by keyboard to unlock your LUKS root device on every boot, this guide might be right for you. It shows how to unlock your root devices using a keyfile from an USB drive.

NOTE: The keyfile on your USB drive is stored UNENCRYPTED. If you lose your USB key you MUST delete the corresponding slot from the LUKS device and add a new one.

The guide is tested against Debian 9.6 (Stretch) which uses cryptsetup 1.7.3. In my setup the root device is a logical volume located on a LVM volume group.

First, install your system with Debian and run the basic configuration. During the installation process you add a passphrase as key to your LUKS device. This passphrase is required to add further keys to the device. I recommend to keep a passphrase as fallback option if you lose your new USB key. But an existing short passphrase should be replaced by a longer passphrase later (cryptsetup luksChangeKey <your_luks_device>).

To