Encrypted LVM with USB keyfile

Because I took me several hours to get this work on my new server (asking myself why it took so long!) here are the instructions to use an encryped LVM with a keyfile stored on an USB-Stick instead of entering a password/passphrase on startup:

  • No need to change /etc/initramfs-tools/initramfs.conf (MODULES=most does work)
  • No need to change /etc/initramfs-tools/modules
  • No need to change /etc/default/cryptdisks

in /etc/crypttab change

from sdXX_crypt UUID=<UUID_OF_ENCRYPTED_LVM> none luks

to sdXX_crypt UUID=<UUID_OF_ENCRYPTED_LVM> /dev/disk/by-uuid/<UUID_OF_USB-STICK>:/<KEYFILENAME> luks,keyscript=/lib/cryptsetup/scripts/passdev

run update-initramfs -u -k all


Please note: These are the instructions above for an encrypted LVM, I am operating another machine where not the whole LVM is encrypted but some LVs (logical volumes).  The /etc/crypttab differs!

crypt-a UUID=<UUID_OF_ENCRYPTED_LV_A> /media/disk/your-key-file.key luks
crypt-b UUID=<UUID_OF_ENCRYPTED_LV_B> /media/disk/your-key-file.key luks
crypt-c UUID=<UUID_OF_ENCRYPTED_LV_C> /media/disk/your-key-file.key luks

/media/disk must be present in /etc/fstab and also in /etc/default/cryptdisks (CRYPTDISKS_MOUNT=”/media/disk”)

Both systems actual do run Ubuntu 13.10

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s