# Deniable Encryption using Luks

## irenicus09

I've heard in the past that it is possible to have a setup using luks where the header would reside on a removable media along with the boot partition and the hard drive would make use of full disk encryption with not even the luks header residing in it..thus giving the option of plausible deniability.

How can I get a setup like that, to be more specific..how do I move luksHeader onto a removable media and patch grub in a way so that they work as expected.

Thanks

----------

## Sadako

When creating a new luks mapping, you can simply pass the '--header /path/to/luks-header' option to cryptsetup, I hate to 'RTFM' you, but I do suggest reading the cryptsetup manual, pretty much everything you need to know about it is in there.

As for grub, no patching is necessary, you can simply follow the standard bootloader install guide in the handbook, the differences being /boot will be on a usb device, the same device you'll want to install the boatloader itself onto, with / still being on your old hard drive.

Grub can work, syslinux is another bootloader more often used for booting from usb.

----------

