How to use key file instead of a passphrase
Add a file and remove passphrase, which usually is in the slot 0. First see what slots you have cryptsetup luksOpen /dev/sdx1 blah cryptsetup luksDump sudo chmod 0700 /root/.keyfiles sudo chmod 0400 /root/.keyfiles/luks_backups cryptsetup luksAddKey /dev/sda1 –key-file=/root/.keyfiles/luks_keyfile.bin dont need to put a keyphrase on it - the file itself is already on an encrypted partition, so you have to open the partition first before you get to it cryptsetup luksKillSlot /dev/sda1 0 cryptsetup luksClose blah and try to open it again. Your pass phrase should not work, but –key-file option should
To configure it to automount on boot
sudo blkid /dev/sdi1
/dev/sdi1: UUID="2f9437c0-d853-4aad-8bde-5138427945d4" TYPE="crypto_LUKS"
sudo vi /etc/crypttab
add b1 UUID=2f9437c0-d853-4aad-8bde-5138427945d4 /root/.keyfiles/luks_backups luks Rebuild initramfs sudo update-initramfs -u -k all
To see your enabled key phrases/key files
cryptsetup luksDump /dev/sda1
Save all the keys in a secure space
so you don’t suddenly lose access to all your encrypted keys when your master drive goes bad
there is a luksDump --dump-master-key option to save LUKS device master key, instead of the keyslot info. Beware that the master key cannot be changed and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header. This means that if the master key is compromised, you are screwed. Use this option carefully (or not at all).