# adding keyfile to LUKS partition

## Ruffman

I have encrypted my /home and /swap partitions mainly following this guide.

I read inside the gentoo dm-crypt wiki that I can add up to 8 passwords/keyfiles, but I can't figure out how. My /home in partition /dev/sda7 is mapped under /dev/mapper/home, and I want to add a keyfile to it that is loaded from a usb stick. What are the steps i have to do? Is it possible to change passwords or keyfiles that are set once?

----------

## Hu

Use cryptsetup to manage the keys of a LUKS volume.  You want luksAddKey, which will first require you to give an existing valid password to unlock the volume key.  You can also use cryptsetup to remove previously valid passwords.

----------

## Ruffman

Thx.

If I add a key with luksAddKey, it's stored in - I assume slot 2 - . But I can't get the right syntax:

cryptsetup luksAddKey /dev/mapper/home /path/to/key/on/usb will work (at least it seems so), but is not realized on boot, or I will not be asked for it on mount. 

there is a config in /etc/conf.d/dmcrypt where I store the Informations of the password. Can I simply add an entry there with the same source a and target but with additional Key entry? Does it take the key on USB on Boot, but falls back to Password if no Key was found?

----------

## Hu

Have you looked at the examples in /etc/conf.d/dmcrypt?

```
    66  ## /home with regular keyfile

    67  #target=crypt-home

    68  #source='/dev/hda5'

    69  #key='/full/path/to/homekey'

    76  ## /home with regular keyfile on removable media(such as usb-stick)

    77  #target=crypt-home

    78  #source='/dev/hda5'

    79  #key='/full/path/to/homekey'

    80  #remdev='/dev/sda1'

    82  ##/home with gpg protected key on removable media(such as usb-stick)

    83  #target=crypt-home

    84  #source='/dev/hda5'

    85  #key='/full/path/to/homekey:gpg'

    86  #remdev='/dev/sda1'
```

I think at least one of these will match the behavior you want.

----------

## Ruffman

I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option  :Wink: 

So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption?

----------

## lduser

 *Ruffman wrote:*   

> I saw these examples, but I didn't see a "/home with regular key on removable media or password fallback" option 
> 
> So If I add the "/home with regular key on removable media" option I'm not shure if it will fallback on password if no media present? Can I run a batch script inside it, to determine first, if a key on usb is present, and if not set the "normal" password decryption?

 

Perhaps you need to set up for `remdev':

```

remdev='/dev/disk/by-uuid/bla-bla-bla-bla'

```

For towards to know an UUID for device:

```

blkid /dev/your_usb_dev

```

----------

## Ruffman

so it is possible inside this config to add a simple bash statement like

```
if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then

  #config for key

else 

  #config for password

fi
```

?

----------

## lduser

 *Ruffman wrote:*   

> so it is possible inside this config to add a simple bash statement like
> 
> ```
> if [ -f /dev/disk/by-uuid/uuidfromUSB ] ; then
> 
> ...

 

I think you can to do it not for `/etc/conf.d/dmcrypt',

but into `/etc/init.d/dmcrypt'

PS:

And you need to change flag `f' to `b' for check block device:

```

if [ -b "/dev/disk/by-uuid/uuidfromUSB" ] ; then

  #config for key

else 

  #config for password

fi
```

----------

## Ruffman

sorry I can't get it. I cannot put a bash if/else inside conf.d but inside init.d... Ok but is it the EXACT same config? I wouldn't think, that init.d is taking variables like 'target' or 'source'?!

----------

