This seems to be what you're looking for.
You pretty much just use a keyfile instead of a traditional password. Once your root drive is unlocked, your home directory can be automatically unlocked using a keyfile held somewhere in another drive.
this post was submitted on 13 Jun 2023
2 points (100.0% liked)
Linux
47969 readers
1143 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
Yes it's pretty easy with keyfile and /etc/crypttab.
One practical recommendation: As LUKS headers can hold several keys, also add a traditional passphrase in addition to the keyfile. With this it's far easier to decrypt the drive from commandline if you ever need to rescue the system from a USB.
Oh yeah i forgot about doing this, actually way easier than what i suggested
One thing i do know is after finishing everything, you wanna backup your LUKS headers incase something gets corrupted so you wont lose your data, make sure its safe outside of the encrypted drive somewhere. "sudo cryptsetup luksHeaderBackup /dev/drive_name --header-backup-file /destination/"
Don't know any other downsides, but you will require entering your password 2 times if i'm not mistaken. Now if you wanna try to avoid entering your password twice. This is a bit more complex but not super hard to try, depends on how technical you are and what distro you use, ArchWiki claims if you use the sd-encrypt hook it will cache your first password and use it for the other drive.
https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_systemd-cryptsetup-generator
https://wiki.archlinux.org/title/Mkinitcpio#Common_hooks
I believe if you do swap to the sd-encrypt hook you gotta swap all the other hooks over to the systemd ones too but not 100% sure, but that's what i ended up doing. Also would need to use the "rd.luks" boot options instead of the "cryptdevice="
where would you recommend backing up the LUKS headers to? an external HDD? a USB flash drive? or something else?
and thanks for the advice and links, i will look further into it using a VM later
Wherever you want really, its only incase the luks headers corrupt which is probably quite rare.
Also probably way easier to do what the other person suggested with the keyfile. My brain kinda blanked out on that possibility