8
Decrypting a LUKS-Encrypted Device Using a Keyfile Stored on a USB (lemmy.hangdaan.com)
submitted 1 day ago by foster@lemmy.hangdaan.com to c/guix@lemmy.ml
2 comments fedilink hide all child comments

Hello fellow Guix users,

I want to decrypt a LUKS-encrypted device from a keyfile that is stored in a USB drive upon boot. The goal of this setup is to have the USB drive act like a key, and the computer cannot be decrypted without it. The process goes something like this:

  1. Insert USB drive containing keyfile.
  2. Boot computer.
  3. USB drive is automatically mounted.
  4. LUKS volumes are decrypted using the keyfile from the USB.

The Guix manual mentions that this keyfile can be declared in luks-device-mapping as an argument called, #:key-file. However, it does not go into further detail on how to make this file available during boot:

Key file is not stored in the store and needs to be available at the given location at the time of the unlock attempt.

Does anyone have a working configuration? Or can at least point me in the right direction?

Any help would be greatly appreciated.

you are viewing a single comment's thread
view the rest of the comments
[-] moonpiedumplings@programming.dev 2 points 23 hours ago

I recommend taking a look at this page: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system

This is probably what you want: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header

Or this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Plain_dm-crypt

Which describes how to do what you want on Archlinux. You will have to find some of the analogous docs for Guix.

Okay, upon careful reading, it looks like the option you linked might not be what you want. What you might need is to tinker with the initramfs and the bootloader (explanation on archwiki here*) to find the key from the USB.

Guix does have options for the initramfs: https://guix.gnu.org/manual/devel/en/guix.html#Initial-RAM-Disk-1

You may also have to configure kernel parameters via the bootloader: https://guix.gnu.org/manual/devel/en/guix.html#Bootloader-Configuration-1 (but I didn't see an option for kernel parameters in there.

There is also this for setting kernel parameters: https://guix.gnu.org/manual/devel/en/guix.html#System-Control-Service , but I suspect sysctl is too slow and will activate too late for your needs.

*You should probably read this page if you are unfamiliar with Linux boot process. It works the same on Guix, it's just configured differently.

[-] foster@lemmy.hangdaan.com 1 points 10 hours ago

The initial RAM disk seems to be what I need. I'll need some time to experiment with it. I'll be reporting back here when I arrive at a solution.

I appreciate the help. Thank you! ๐Ÿ™

this post was submitted on 25 May 2026
8 points (90.0% liked)

Guix

523 readers
7 users here now

Guix is an advanced distribution of the GNU operating system developed by the GNU Project

founded 6 years ago
MODERATORS
early_adapter@lemmy.ml