Authenticating LUKS and system with USB
The end result will look like this: if a certain USB stick is plugged into the computer,
(a) LUKS Full Disk Encryption will unlock without prompting for a password on boot,
(b) Login and sudo will not require passwords.
If the USB stick is unplugged, the system will revert to demanding regular passwords.
We'll first cover (a), which will require setting up a keyfile on the USB stick and configuring LUKS.
Then we'll discuss (b), which is very easy thanks to the pam_usb project. This guide uses Arch Linux, but as configuration is mostly low-level, things should work similarly for other distributions.
Preparing Keyfile and USB stick Prerequisites are an already configured LUKS setup accessible with an ordinary passphrase. The strategy will be to add a second key to the encrypted partition that will be sufficient to unlock the device. This key will be present as a keyfile and be stored on the USB drive. Then, we'll tell LUKS about this second keyfile and how to access it. But first, we'll generate the keyfile
$ dd if=/dev/urandom bs=1 count=256 > luks_keyfile.bin
$ sudo blkid | grep crypto_LUKS
# cryptsetup luksAddKey /dev/nvme0n1p1 luks_keyfile.bin
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 29.3G 0 disk
ââsda1 8:1 1 29.3G 0 part /run/media/simon/USBKEY
Copy the keyfile to it
$ sudo cp luks_keyfile.bin /run/media/simon/USBKEY/
$ sudo blkid | grep sda1
/dev/sda1: UUID="F7B7-F9E8" BLOCK_SIZE="512" TYPE="exfat" PARTUUID="333a96b6-01"
# cat /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=c6804a74-1ba3-4a0f-8865-1db2ad9885ab:root root=/dev/mapper/root rw
options cryptdevice=UUID=c6804a74-1ba3-4a0f-8865-1db2ad9885ab:root cryptkey=UUID=F7B7-F9E8:exfat:/luks_keyfile.bin root=/dev/mapper/root rw
The last step is to add the exfat module in /etc/mkinitcpio.conf
# sudo nano /etc/mkinitcpio.conf
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(exfat)
# sudo mkinitcpio -P
To use the same USB stick to save us from having to enter passwords when it is plugged in by configuring Linux PAM. First, we install the pam_usb module from the AUR. Then, using an arbitrary DeviceName and having the USB stick plugged in, we enroll it:
# pamusb-conf --add-device DeviceName
# pamusb-conf --add-user simon
auth sufficient pam_usb.so
#%PAM-1.0
auth required pam_faillock.so preauth
auth sufficient pam_usb.so
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so nullok
Security Implications An important security implication is that the key is not only stored on the USB device, but that anyone can retrieve it.
These ensure that the key never leaves the device, and authenticate themselves not by transmitting the key, but proving ownership of the key by means of some challenge-response mechanism. The implication is that if you leave the usb stick sitting on your desk, an attacker could simply copy the key and gain access to your system.
If you ever lose the USB stick, or think that the key is compromised, you can simply remove the key using cryptsetup luksKillSlot.
Posted
15:38 07-09-2025