Automatic disk decryption on Fedora Workstation

Note: See this for how I played with disk encryption for an external drive on my Raspberry Pi.

I recently setup a Fedora machine and (obviously) enabled disk encryption on that. However, that meant that I had to enter a long passphrase every time I rebooted my computer and, in my setup, this was different from my user account. So, I wanted to enable automatic decryption if a USB drive was present during reboot. Plus, the system should fall back to passphrase if the drive weren’t present.

First, I used the usual commands to generate a keyfile and add that into an empty slot on LUKS:

sudo cryptsetup luksDump /dev/nvme0n1p3

# Generate the keyfile.
dd if=/dev/urandom of=fedora-encryption-key bs=32 count=1	# Also, move this to the USB drive.
chmod 600 fedora-encryption-key

sudo cryptsetup luksAddKey /dev/nvme0n1p3 fedora-encryption-key

Second, change the /etc/crypttab file from:

luks-bc35bbbb-821d-44cb-9502-cec71bab3de6 UUID=bc35bbbb-821d-44cb-9502-cec71bab3de6 none discard

To:

luks-bc35bbbb-821d-44cb-9502-cec71bab3de6 UUID=bc35bbbb-821d-44cb-9502-cec71bab3de6 /fedora-encryption-key:UUID=D51B-10FB discard,keyfile-timeout=5s

Third, rebuild initramfs. Be careful as a mistake here could brick the system and require you to boot into recovery mode etc.

# First, verify.
ls /boot/initramfs-*.img

sudo dracut --force

Resources:

• https://www.freedesktop.org/software/systemd/man/latest/crypttab.html
• https://linuxconfig.org/introduction-to-crypttab-with-examples