Answer the question
In order to leave comments, you need to log in
Is it possible to use a key and a password at the same time in LUKS?
Actually the question is - is it possible to set both the password and the key file during encryption?
Does it mean that the system is loaded only if there is a flash drive with a key and after entering the password?
Or, as an option, put the bootloader on a flash drive and set a password when encrypting? Then what exactly should be put on a flash drive? /boot?
Answer the question
In order to leave comments, you need to log in
1. At the same time - it will not work, any of the LUKS-slots decrypts the disk. Which one you used when mounting (with a key or password) - that one will work.
2. Yes, remove /boot, in Debian it works great (just don't forget to insert a flash drive when updating). But this is also "relative" protection, it does not pull on a two-factor one, because. in fact, knowing the password, it will not be difficult to access the data. Therefore, it makes sense to move critical data to a separate partition, encrypt it using a key. The key on the flash drive is an unobvious file, (it should be absolutely incomprehensible to an outsider who has taken possession of the flash drive what exactly is the key). But the root is encrypted with a password, therefore, getting to /etc/crypttab, in which the partition is mounted (and the key is specified), without knowing the password, will not work
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question