this post was submitted on 20 Nov 2024
12 points (100.0% liked)

Arch Linux

120 readers
2 users here now

Discussion community about the Arch Linux distro.

Wiki : https://wiki.archlinux.org/

Site : https://archlinux.org/

Packages : https://archlinux.org/packages/

GitLab : https://gitlab.archlinux.org/archlinux

Downloads : https://archlinux.org/download/

founded 9 months ago
MODERATORS
LinearArray
[email protected]
12
Detached LUKS USB Key Update? (lemmy.ca)
submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/arch
5 comments fedilink hide all child comments
 

While I'm trying to get Encrypted /boot and a detached LUKS header on USB to work,
I had a couple of questions come to mind:

~~1. Does the backup USB key need to be updated?~~
~~2. If so, then how would someone keep all backups up to date?~~

I probably asked a dumb question but if anyone can help guide me through the steps I'd really appreciate you!๐Ÿค—๐ŸŒป

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 2 points 1 day ago* (last edited 1 day ago) (1 children)

ahhh ok I'm starting to understand now thank you!

Also for the exfat problem you encountered, I've read that the boot or EFI partition should be formatted with FAT32 or the similar FAT types (like FAT12?) as it's supported whereas the other file types are not mentioned, I'll add the link here if I can find it again

https://bbs.archlinux.org/viewtopic.php?id=236633
While this forum post wasn't the exact page I initially saw, the users there also states the same info

[โ€“] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Yes that is true, but if you're using a detached LUKS (prob LUKS2) header then the USB drive isn't your boot partition and the file system type won't matter as much for that than the order of kernel modules loaded before boot.

Using a detached LUKS header appealed to me at the time because it has most of the same benefits as an encrypted boot partition like available with GRUB and GRUB at the time still only supported the first version of LUKS. Plus I was pretty confident in my ability to securely back up my LUKS header, so that if I traveled then I could grab a copy of the header remotely if the USB drive was somehow compromised. That way you can travel and not have to worry about your laptop or whatever revealing as much information about your FDE setup vs. if the LUKS header is on the internal drive, it still provides details about the encryption.