Decrypting a LUKS-Encrypted Device Using a Keyfile Stored on a USB (lemmy.hangdaan.com)

submitted 1 day ago by foster@lemmy.hangdaan.com to c/guix@lemmy.ml

2 comments fedilink hide all child comments

Hello fellow Guix users,

I want to decrypt a LUKS-encrypted device from a keyfile that is stored in a USB drive upon boot. The goal of this setup is to have the USB drive act like a key, and the computer cannot be decrypted without it. The process goes something like this:

Insert USB drive containing keyfile.
Boot computer.
USB drive is automatically mounted.
LUKS volumes are decrypted using the keyfile from the USB.

The Guix manual mentions that this keyfile can be declared in luks-device-mapping as an argument called, #:key-file. However, it does not go into further detail on how to make this file available during boot:

Key file is not stored in the store and needs to be available at the given location at the time of the unlock attempt.

Does anyone have a working configuration? Or can at least point me in the right direction?

Any help would be greatly appreciated.

you are viewing a single comment's thread
view the rest of the comments

[-] foster@lemmy.hangdaan.com 1 points 16 hours ago

The initial RAM disk seems to be what I need. I'll need some time to experiment with it. I'll be reporting back here when I arrive at a solution.

I appreciate the help. Thank you! 🙏

this post was submitted on 25 May 2026

8 points (90.0% liked)

Guix

523 readers

3 users here now

Guix is an advanced distribution of the GNU operating system developed by the GNU Project

founded 6 years ago

MODERATORS

early_adapter@lemmy.ml