Full Disk Encryption: Difference between revisions
Add info about keyfile in initrd |
Added description of fallbackToPassword option |
||
| Line 49: | Line 49: | ||
dd if=/dev/random of=hdd.key bs=4096 count=1 | dd if=/dev/random of=hdd.key bs=4096 count=1 | ||
cryptsetup luksAddKey /dev/sda1 ./hdd.key | cryptsetup luksAddKey /dev/sda1 ./hdd.key | ||
</syntaxhighlight> | </syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case). | ||
== Option 1: Write key onto the start of the stick == | == Option 1: Write key onto the start of the stick == | ||
| Line 73: | Line 74: | ||
# pinning to /dev/disk/by-id/usbkey works | # pinning to /dev/disk/by-id/usbkey works | ||
keyFile = "/dev/sdb"; | keyFile = "/dev/sdb"; | ||
# optionally enable fallback to password in case USB is lost | |||
fallbackToPassword = true; | |||
}; | }; | ||
}; | }; | ||