On 20/03/2021 17.43, Christopher de Vidal wrote: > I am a newbie with this so go gentle please :-) I want to automagically > mount a partition at boot. Is it secure to use the crypttab key field? I > assume I would have to store the passphrase plain texting the file > specified in the key field, and since as I understand it the point of > partition encryption is to prevent a malicious local user with physical > access from reading the files, if the user can read the file specified > in the key field, wouldn't they then be able to decrypt the partition? > Seems to me like leaving the front door key under the doormat, but maybe > I'm just ignorant how it works. Please educate this newbie. Suppose you have several encrypted partitions. One of them would be opened normally, with a password. It would contain a file, which would be the key to automatically open the other two partitions (which can also be opened manually with their password). It is a trick to opening several partitions on boot with entering only one password. /etc/crypttab: cr_home /dev/disk/by-id/ata-something-part5 \ none timeout=300,discard cr_data1 /dev/disk/by-partlabel/data_1_raw \ /home/things/Keys/the_data_keyfile auto fstab: /dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2 /dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail 1 2 The keyfile has to be created once (4 KiB random data, for example) and added to the crypt: cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \ /dev/sdc1 cr_cripta There may be other uses, but that's the one I have. You could have the keyfile stored in an USB stick. To open the partition you would have to connect the USB stick first. A better procedure would be that the system would also require a passphrase to proceed, but I don't know how to achieve that (the mantra is one thing you have, one thing you know. Two factors). -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)