On Wed, 5 Apr 2017, FHDATA wrote:
hello,
I am not currently using debian as linux OS but
considering it ...
If I clean install debian (latest of course) and during
the install process have its / (system drive)
encrypted with pass-phrase ....
then later on, can I add a key, residing on
a usb flash drive, to that encryption?
if yes, is there a step-by-step method one can follow to do that?
thank you,
F-
i apologize for not sending a timely response back;
just being busy;
thanks to all who provided feedback from
which i learned:
1. possibility of using a 3rd party 2fa solution (e.g. yubico)
[relaying on internet during boot may be undesirable...]
2. in LUKS one of the other remaining 7 slots can be utilize for path
to encryption key ...
3. system boot process looks for & mounts a external
usb device and use the key on it .....
4. utilizing Password Agents ,Plymouth, (of systemd) to
prompt user for 'some passphrase for ---- '
5. /etc/default/cryptdisks {seems to be a debian/ubuntu centric
thing, which is fine...}
#2 seems unlikely but i will investigate further.
combination of #3 + #4 looks promising ...
#5 seems to be tailored solution for this sort of things ...
but needs testing...
i like to keep things simple:
no /boot encryption, no LVM , RAID ,etc
someday every linux distro during the
install process will ask the user for
the 2nd auth factor residing on an external device.
till then i will do more reading & testing ...
F-