Web lists-archives.com

Re: system drive encryption question




On Wed, 5 Apr 2017, FHDATA wrote:


hello,

I am not currently using debian as linux OS but
considering it ...


If I clean install debian (latest of course) and during
the install process have  its / (system drive)
encrypted with pass-phrase ....

then later on, can I add a key, residing on
a usb flash drive,  to that encryption?

if yes, is there a step-by-step method one can follow  to do that?



thank you,
F-





i apologize for not sending a timely response back;
just being busy;

thanks to all who provided feedback from
which  i learned:



  1. possibility of using a 3rd party 2fa solution (e.g. yubico)
     [relaying on internet during boot may be undesirable...]


2. in LUKS one of the other remaining 7 slots can be utilize for path to encryption key ...


  3. system boot process looks for & mounts a external
usb device and use the key on it .....


  4. utilizing Password Agents ,Plymouth, (of systemd) to
prompt user for 'some passphrase for ---- '


  5. /etc/default/cryptdisks {seems to be a debian/ubuntu centric
thing, which is fine...}




#2 seems unlikely but i will investigate further.

combination of #3 + #4  looks promising ...

#5 seems to be tailored solution for this sort of things ...
but needs testing...


i like to keep things simple:
no /boot encryption, no LVM , RAID ,etc


someday every linux distro during the
install process will ask the user for
the 2nd auth factor residing on an external device.

till then i will do more reading & testing ...


F-