Failed to activate key file because crypto_keyfile missing

Hi everyone,

only the directory /home was encrypted with LUKS, it works fine with my decryption at startup.
But journalctl -b -p 3 shows:

systemd-cryptsetup: Failed to activate, key file `/crypto_keyfile.bin` missing

Can I ignore it?

It is related to old issues

Disable to read the key file at startup:

  • Edit /etc/crypttab:
  • Change /crypto_keyfile.bin to none
  • Restart
  • No error appears in the logger journalctl


If you want to activate this key file crypto_keyfile.bin at startup without entering your password (like automatic entry): → bad security

 dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
 chmod 000 /crypto_keyfile.bin
 chmod 600 /boot/initramfs-linux*
 cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

If only your /home is encrypted, then adding a key file to / is not a good idea and makes the encryption useless.

1 Like

But why is /crypto_keyfile.bin in the conf file /etc/crypttab by default after installation?

Maybe it would be for lazy person who doesn’t want to manually enter password for decryption at boot.

We had a discussion recently about this key file: Why does the installer add a paswordless key to LUKS-encrypted partition? - #9 by winnie

However, convenience is great but why do you encrypt a partition but keep the key in an unencrypted partition? Against what are you protecting your data? Anyone with access to your physical hard disk, for which the encryption is the only protection, can just use this file to decrypt your data.

Yes, right.
Of course I used the first solution.
I already knew that a passwordless key file is bad security in an unencrypted partition, but lazy people does not think everyone knows how to crack it except computer scientists, if his device was stolen.

If you argue like that, you could also just use ext4 which is not supported right away in Windows :grin:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.