4.2. Add a 'keyfile' on USB key to activate the automatic decryption

We will now configure the system to decrypt the partition based on a file stored into the startup key. The computer will then recognize the startup key and decrypt the partition without asking a password anymore.

Create the file keyfile in /boot and change its access rights by executing the following commands:

dd if=/dev/urandom of=/bootkeyfile bs=512 count=4 chmod 400 /boot/keyfile

Add the new key into as a valid key to decrypt the disk.

cryptsetup luksAddKey /dev/sda5 keyfile

Note

The contents of the file is important, not the filename.

We will now configure the system to us the created keyfile to automatically decrypt the disk at startup. Edit /etc/crypttab modify the line

sda5_crypt UUID=(...) none luks

as follow:

sda5_crypt UUID=(...) /dev/disk/by-label/BOOT:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

Finally, update the initramfs:

update-initramfs -uv

To remove auto decryption and reactivate passphrase only, modify /etc/crypttab in the reverse order. The file should look like something like that:

sda5_crypt UUID=(...) none luks

Finally, update the initramfs:

update-initramfs -uv