On 2017-May-29 21:17, to...@tuxteam.de wrote: > On Mon, May 29, 2017 at 03:36:44PM +0200, Прокси wrote: > > Hello, > > > > I have laptop where I set up full disk encryption following this > > tutorial: > > https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html > > > > It works great, but since LUKS can have up to 8 key slots, I would like > > to add another way to decrypt the laptop: key on a external usb. So, if > > there is a usb with the key plugged in, laptop doesn't ask for the > > passphrase and just continue booting; if there isn't - it asks for the > > passphrase. Can this be done? > > Never tried myself, but cryptsetup luksAddKey <device> should work. > Make a backup or... better, try first with a sacrificial device > (either a file you create with dd, like so > > dd if=/dev/zero of=my-file bs=4096 count=1024 > > or similar, or an USB stick). You then "cryptsetup luksFormat" it, > "cryptsetup luksOpen" it, make a file system on the corresponding > device (which will typically appear somewhere in /dev/mapper/) and > play around with it until you feel secure. > > There are also cryptsetup luksHeaderBackup and luksHeaderRestore > subcommands which look useful in case of a mishap. > > See the cryptsetup man page for details, and ask here if unsure. > I followed instructions from this[1] link and it worked.
https://stackoverflow.com/questions/19713918/how-to-load-luks-passphrase-from-usb-falling-back-to-keyboard
