LUKS keyfile stored on USB stick that no password during boot is necessary

Hello,

I am looking for a way to encrypt all my disks completely but not be prompted for a password during boot.
At the moment I am prompted for a password when grub2 is starting.

I was thinking if it is possible to put a keyfile on an USB stick instead and ask cryptomount in grub.cfg to read it from there. Only if the keyfile on the USB stick is not available it should ask for a password.

Is there a way to achieve this?
If yes, can someone guide me.

Thanks a lot,

Erie

Yes, there are ways of doing something like that.

I tried google for “luks key usb” (but without the quotes), and got a number of good suggestions.

Perhaps the most comprehensive, is this one from the arch wiki

https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

Arch is setup somewhat differently from openSUSE, but many of the suggestions could be adapted to work.

Another possibility: You could use encrypted root or encrypted LVM, with “/boot” as part of what is encrypted. And then you are prompted for the key twice – once by grub and once by the system during boot. The openSUSE wiki gives the details on how to avoid that second prompt for the key. It basically puts the key in the “initrd”, which is reasonably safe since the “initrd” is readable only by root and sits in the encrypted “/boot”.

The next step would be to create a duplicate “/boot” on a USB, which is left unencrypted. Of course that leaves the initrd with key on that unencrypted USB, so you need to protect it. And then when you boot from the USB, you won’t need to enter the key. Only when you boot from the hard drive, will that be needed. But you will need to keep the USB reasonably synchronized with the encrypted “/boot”.

When I had a need for unattended booting of a system, I chose a simpler approach. I made sure that nothing critical was on the root partition. I also made sure that “/tmp” used “tmpfs”, and I setup a randomly encrypted swap partition.

And then I setup my home directory to be “ecryptfs” encrypted. So I needed to be physically present for login, but not for booting.

Thank you for your reply. I tried to google it before and got similar results. Unfortunately most sites just explain how to encrypt an USB stick which is not helpful for my goal. The most promising site I found was GitHub - johnlane/grub: Grub with crypto extensions to support for DMCrypt and LUKS volumes with detached headers and key files.. But I was not able to get it to work under Tumbleweed.

Your link to Arch Wiki page looks promising. I will give it a try.

Thank a lot!

There used to be a way that you could put a parameter on the kernel boot line, to tell the kernel to find the key on a USB device. But I was unable to find any web pages about that and I’m not sure whether it is still supported.

In any case the Arch wiki is a great source of information about linux.

I tried what you described here. I created an unencrypted “/boot” on the USB stick. It works perfectly. Thank you for the hint.

Erie