On Apr 5, 2017, at 4:31 PM, FHDATA <fhd...@unm.edu> wrote: > hello, > > I am not currently using debian as linux OS but > considering it ... > > > If I clean install debian (latest of course) and during > the install process have its / (system drive) > encrypted with pass-phrase .... > > then later on, can I add a key, residing on > a usb flash drive, to that encryption? > > if yes, is there a step-by-step method one can follow to do that? > > > > thank you, > F-
I used to do this. It worked very well before Jessie came along. You need an un-encrypted /boot partition to hold the kernel and initrd, of course… With the introduction of systemd in Jessie, the mechanism that ran a script to get a password to decrypt the root disk[1] got broken. I don’t think there was anything about systemd in particular that made it impossible, it just wasn’t at the top of the developer’s priority list to implement that feature. I suspect it would not be difficult to implement such a feature again under recent systemd versions, but nobody’s done it yet — at least as far as I know. If I take a stab at implementing such a feature, would you be interested in helping? Enjoy! Rick [1] In my case the script looked for a USB drive with a given label, mounted it, read the key from a file it found there, then unmounted the USB drive so it could be removed by the sysop for safe-keeping until the next reboot.
