-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 29, 2017 at 03:36:44PM +0200, Прокси wrote: > Hello, > > I have laptop where I set up full disk encryption following this > tutorial: > https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html > > It works great, but since LUKS can have up to 8 key slots, I would like > to add another way to decrypt the laptop: key on a external usb. So, if > there is a usb with the key plugged in, laptop doesn't ask for the > passphrase and just continue booting; if there isn't - it asks for the > passphrase. Can this be done?
Never tried myself, but cryptsetup luksAddKey <device> should work. Make a backup or... better, try first with a sacrificial device (either a file you create with dd, like so dd if=/dev/zero of=my-file bs=4096 count=1024 or similar, or an USB stick). You then "cryptsetup luksFormat" it, "cryptsetup luksOpen" it, make a file system on the corresponding device (which will typically appear somewhere in /dev/mapper/) and play around with it until you feel secure. There are also cryptsetup luksHeaderBackup and luksHeaderRestore subcommands which look useful in case of a mishap. See the cryptsetup man page for details, and ask here if unsure. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlksc9cACgkQBcgs9XrR2kYN9QCfV3FKvA7wOco9PUKK+bgLnzuQ EYYAniu6yGWJ9MYZG6pCuFB+GFJ9Rx7m =vmuz -----END PGP SIGNATURE-----