Using a Keyfile for Automatic Mounting of LUKS2 Encrypted Partitions

If you have a LUKS2-encrypted partition and want to use a keyfile for automatic mounting, follow the steps below. This guide assumes your disk is already encrypted with LUKS2.

1. Create a Keyfile

Start by generating a random keyfile. This file will be used to unlock the encrypted partition.

sudo dd if=/dev/urandom of=/root/keyfile bs=4096 count=1
sudo chmod 600 /root/keyfile

2. Add the Keyfile to the LUKS Partition

Add the generated keyfile to your existing LUKS2-encrypted partition:

• Replace /dev/sdb with the actual path of your LUKS-encrypted partition. You can verify the partition with lsblk or fdisk -l if unsure.

sudo cryptsetup luksAddKey /dev/sdb /root/keyfile

3. Update /etc/crypttab

To ensure the encrypted partition is unlocked automatically at boot, edit the /etc/crypttab file and add the following line:

• Replace <mapper_name> with the name you want to assign to the decrypted partition.
• Replace /dev/sdb with your actual device path.
• Enter your passphrase when prompted after the command.

<mapper_name> /dev/sdb /root/keyfile luks

For example:

hdd2_crypt /dev/sdb /root/keyfile luks

4. Update /etc/fstab

Next, configure the system to mount the decrypted partition automatically by editing /etc/fstab:

• Replace /dev/mapper/depo_crypt with your mapper name.
• Adjust the mount point /home/depo to your desired location.
• The 0 2 at the end specifies that the partition should not be dumped (0) and that it should be checked by fsck after the root filesystem (2).

/dev/mapper/hdd2_crypt /home/hdd2 ext4 defaults 0 2

5. Reboot and Verify

Finally, reboot your system. Once the system restarts, verify that the partition is automatically unlocked and mounted at the specified mount point. Use your file manager at desktop environment or use "df -h" command at command line.