Re: system drive encryption question
- Date: Thu, 6 Apr 2017 03:18:10 -0700
- From: Rick Thomas <rbthomas@xxxxxxxxx>
- Subject: Re: system drive encryption question
On Apr 5, 2017, at 4:31 PM, FHDATA <fhdata@xxxxxxx> wrote:
> I am not currently using debian as linux OS but
> considering it ...
> If I clean install debian (latest of course) and during
> the install process have its / (system drive)
> encrypted with pass-phrase ....
> then later on, can I add a key, residing on
> a usb flash drive, to that encryption?
> if yes, is there a step-by-step method one can follow to do that?
> thank you,
I used to do this. It worked very well before Jessie came along.
You need an un-encrypted /boot partition to hold the kernel and initrd, of course…
With the introduction of systemd in Jessie, the mechanism that ran a script to get a password to decrypt the root disk got broken. I don’t think there was anything about systemd in particular that made it impossible, it just wasn’t at the top of the developer’s priority list to implement that feature.
I suspect it would not be difficult to implement such a feature again under recent systemd versions, but nobody’s done it yet — at least as far as I know.
If I take a stab at implementing such a feature, would you be interested in helping?
 In my case the script looked for a USB drive with a given label, mounted it, read the key from a file it found there, then unmounted the USB drive so it could be removed by the sysop for safe-keeping until the next reboot.