# How dm-crypt with key file works?

## dustfinger

Hi,

I am interested in setting up a full disk encrypted gentoo box. I am looking at two different approaches to the problem, both using dm-crypt. 

1. The first approach is the one presented on the gentoo wiki and uses a key file: http://wiki.gentoo.org/wiki/DM-Crypt_LUKS

2. The other approach uses a pass phrase: 

http://linux.arantius.com/installing-gentoo-into-a-luks-encrypted-zfs-root

In the second case it is clear to me the user's role in decrypting the drives as the system boots up. The system will prompt the user for the pass phrase. If the user enters the correct pass phrase then the system will decrypt the drives and boot gentoo. The first case is where I am not fully clear. The system requires a key to decrypt the drives before boot. Where does the user keep that key? a USB? How does the user tell the system where and how to use that key? I know that the instructions mention that the initrd will have to be passed parameters to tell hit how to decrypt the drive, but the example parameters seem to only tell it where the drive is:

```
title Gentoo Linux 3.4.0-gentoo

root (hd0,0)

kernel /boot/kernel-3.4.0-gentoo crypt_root=UUID=<encrypted partition uuid> root=/dev/mapper/root

initrd /boot/initramfs-3.4.0-gentoo
```

So can someone please explain how the user interacts with the system so that the system knows how to decrypt the drive and boot gentoo. I am lost.

Thank you kindly in advance.

Sincerely,

dustfinger

----------

## Hu

It depends on how the initramfs is designed.  You could have an initramfs that mounts an external USB stick, either at a known name or by searching available devices.  You could download the encrypted key from network storage and get a passphrase from the user to unlock it.  You could download an unencrypted key from network storage if your threat model only deals with preventing the system from being usable outside your network.  The most logical is to store the key on an external USB, and usually to have the key encrypted.  In that model, unlocking the drive requires the presence of the USB stick and knowledge of the password that protects the key stored on the stick.

----------

## umka69

How to build initramfs that could use encrypted key from USB? I need it too.

I now that all /boot can be from USB but i like to have only key there.

----------

