How to use key file instead of a passphrase for Luks

How to use key file instead of a passphrase

Add a file and remove passphrase, which usually is in the slot 0. First see what slots you have cryptsetup luksOpen /dev/sdx1 blah cryptsetup luksDump sudo chmod 0700 /root/.keyfiles sudo chmod 0400 /root/.keyfiles/luks_backups cryptsetup luksAddKey /dev/sda1 –key-file=/root/.keyfiles/luks_keyfile.bin dont need to put a keyphrase on it - the file itself is already on an encrypted partition, so you have to open the partition first before you get to it cryptsetup luksKillSlot /dev/sda1 0 cryptsetup luksClose blah and try to open it again. Your pass phrase should not work, but –key-file option should

To configure it to automount on boot

sudo blkid /dev/sdi1
/dev/sdi1: UUID="2f9437c0-d853-4aad-8bde-5138427945d4" TYPE="crypto_LUKS" 
sudo vi /etc/crypttab

add b1 UUID=2f9437c0-d853-4aad-8bde-5138427945d4 /root/.keyfiles/luks_backups luks Rebuild initramfs sudo update-initramfs -u -k all

To see your enabled key phrases/key files

cryptsetup luksDump /dev/sda1

Save all the keys in a secure space

so you don’t suddenly lose access to all your encrypted keys when your master drive goes bad

there is a luksDump --dump-master-key option to save LUKS device master key, instead of the keyslot info. Beware that the master key cannot be changed and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header. This means that if the master key is compromised, you are screwed. Use this option carefully (or not at all).