Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Debian/PowerBook G4: USB key for an encrypted LVM

This was originally posted on 2009-08-05 to

When setting Lenny up on my PowerBook, I wanted some way to encrypt important data on the hard drive. Crucially, this includes the contents of the main PostgreSQL database cluster. With this in mind, using an encrypted LVM seemed to be the obvious way to go and so I went ahead and did this during the initial installation (Debian makes it pretty easy to do). The one downside is that the 16 character alphanumeric password is a little cumbersome to type in every time, so I opted to have a key file stored on a USB key which could be plugged in at boot time to authenticate and unlock the LVM instead. Here's how I did this.

The first step is to generate a key that can be used. You can use whatever you want, such as an innocuous-looking PDF on your USB key, maybe. I stored my key in <usbkey>/.keys/<hostname>.key, and used this to generate it:

% head -c 5000 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
> > /path/to/<hostname>.key

Next, we need to tell LUKS about this key which requires us to know which is the encrypted device. Note that LUKS will prompt you for a passphrase (likely the one you set during the partitioning stage of Debian's installer).

% cat /etc/crypttab
hda4_crypt /dev/hda4 none luks
% cryptsetup luksAddKey /dev/hda4 /path/to/<machine>.key
Enter any LUKS passphrase: <passphrase>
key slot 0 unlocked.
Command successful.

Some modules need to be loaded to open and read the USB key, so append the following lines to /etc/initramfs-tools/modules:


We need a self-contained script that will retrieve the key file from the plugged-in USB key and present it to LUKS. I've used the one from here and stored it as /usr/local/sbin/ Tell the system about this by changing /etc/crypttab to your equivalent of this:

hda4_crypt /dev/hda4 .keys/<machine>.key luks,keyscript=/usr/local/sbin/

Update your initramfs image:

% update-initramfs -u all

Finally, reboot with the USB key attached and you shouldn't be prompted for your LUKS passphrase (unless you forget to plug it in).

Hat tip: much of the above was derived from this article

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment