4.2. Add a 'keyfile' on USB key to activate the automatic decryption
We will now configure the system to decrypt the partition based on a file stored into the startup key. The computer will then recognize the startup key and decrypt the partition without asking a password anymore.
Create the file keyfile
in /boot
and change its access rights by executing the following commands:
dd if=/dev/urandom of=/bootkeyfile bs=512 count=4
chmod 400 /boot/keyfile
Add the new key into as a valid key to decrypt the disk.
cryptsetup luksAddKey /dev/sda5 keyfile
The contents of the file is important, not the filename.
We will now configure the system to us the created keyfile to automatically decrypt the disk at startup. Edit /etc/crypttab
modify the line
as follow:
Finally, update the initramfs:
update-initramfs -uv
To remove auto decryption and reactivate passphrase only, modify /etc/crypttab
in the reverse order. The file should look like something like that:
Finally, update the initramfs:
update-initramfs -uv