tangetools/decrypt-root-with-usb/README

It would be ideal to me if I could simply have a small USB stick
containing a passphrase that will unlock the disk. Not only would that
be handy for servers (where you could leave the USB stick in the
server - the goal is to be able to return broken harddisks without
having to worry about confidential data), it would also be great for
my laptop: Insert the USB stick when booting and remove it after
unlocking the cryptodisk.

I have now written a patch that will search the root dir of all
devices for the file 'cryptkey.txt' and try decrypting with each line
as a key. If that fails: Revert to typing in the pass phrase.

It does mean the key cannot contain \n, but that would apply to any
typed in key, too. The good part is that you can use the same USB disk
to store the key for multiple machines: You do not need a separate USB
disk for each. So if you have a USB drive in your physical key ring,
you can use the same drive for all the machines you boot when being
physically close.

You add the key with (/dev/sda5 is the full-disk encrypted device you
want to unlock):

    cryptsetup luksAddKey /dev/sda5

And then put the same key as a line in a file on the USB/MMC disk
called 'cryptkey.txt'.

If the USB drivers, MMC drivers or the filesystems are not present in
your initramfs, you need to add them by adding to
/etc/initramfs-tools/modules:

    uhci_hcd
    ehci_hcd
    usb_storage
    nls_utf8
    nls_cp437
    nls_ascii
    vfat
    fat
    sd_mod
    mmc_block
    tifm_sd
    tifm_core
    mmc_core
    tifm_7xx1
    sdhci
    sdhci_pci

Copy the relevant cryptroot to
/usr/share/initramfs-tools/scripts/local-top/cryptroot

When all is done, update the initramfs:

    update-initramfs -u

Now reboot the system with the USB-disk connected.

(C) 2014-2022 Ole Tange, GPLv2 or later