Available for hire

Could not find any match !

Unlock your LUKS drive through USB or passphrase -

It’s always advisable to keep your data as secure as possible. A great way of doing this is LUKS . Linux Mint for instance supports this out of the box as part of the installation process. Usually an encrypted drive can be unlocked using a passphrase which generally works fine but what if you want to use a more robust key? What if you want to automatically unlock a drive with a key located on a USB drive? I found several tutorials though they weren’t working as expected so here is my solution using Linux Mint.

Add another key

Assume the encrypted drive is /dev/sd13 . First we’re creating a keyfile using random values. In this little example we’re creating a keyfile out.key of 4096 bytes.

dd bs=4096 count=1 if=/dev/urandom of=my.key

Be aware that this keyfile is your key and should be protected accordingly.

The next step requires you to add this key to your encrypted drive:

cryptsetup luksAddKey /dev/sd13 my.key

Fetch the actual key

What we’re trying to accomplish is the following:

Create the file /etc/initramfs-tools/scripts/usb-unlock with the following content and take note of the comments in there (inspired by Bob Arezina ):

set -e

# the name we're using to idenfify the usb drive containing our key 
# (change it according to your needs)

# the name of the key provided to this script

# mount the drive and print the key content if available
if [ ! -e /mnt ]; then
    mkdir -p /mnt
    sleep 3

if mount "${DEVICEPATH}" /mnt 2>/dev/null; then
    # only cat the keyfile content if the file exists
    if [ -e "${KEYPATH}" ]; then
         cat "${KEYPATH}"

# mimic the default behavior and ask for a passphrase
/lib/cryptsetup/askpass "Passphrase"

This script simply prints the key either sourced from the usb drive or the user input. Don’t forget to mark this shell script as executable. Note that the script has been added into /etc/initramfs-tools/scripts/ so it’s meant to be bundled as part of the initramfs image used during the loading stage of Linux.

Configure the automatic unlocking

Now we need to configure the drive that’s supposed to be unlocked automatically while adding a corresponding line to /etc/crypttab:

sd13_crypt UUID=75ae9676-64be-43b4-903b-507f60becdeb my.key luks,keyscript=/etc/initramfs-tools/scripts/usb-unlock

This causes the script /etc/initramfs-tools/scripts/usb-unlock to be called with the name of the key my.key as the first argument. Obviously it’s up to you to choose the name of your key file and to provide the right UUID for /dev/sd13 (you can also choose alternative ways to select your drive). If everything went well you will find the unlocked drive under /dev/mapper/sd13_crypt. Don’t forget to put a corresponding configuration line into /etc/fstab.

Enable the automatic unlocking

After setting everything up you need to update your initial ram disk executing the following command:

update-initramfs -u

All you have to do now is to reboot and verify that the unlocking works with the usb drive keeping your key and one way using the passphrase thus without the usb drive.

I have to emphasize that you should keep your usb drive holding the key as secure as possible.