Hi everyone,
only the directory /home
was encrypted with LUKS, it works fine with my decryption at startup.
But journalctl -b -p 3
shows:
systemd-cryptsetup: Failed to activate, key file `/crypto_keyfile.bin` missing
Can I ignore it?
Hi everyone,
only the directory /home
was encrypted with LUKS, it works fine with my decryption at startup.
But journalctl -b -p 3
shows:
systemd-cryptsetup: Failed to activate, key file `/crypto_keyfile.bin` missing
Can I ignore it?
It is related to old issues
Disable to read the key file at startup:
/etc/crypttab
:/crypto_keyfile.bin
to none
journalctl
OR
If you want to activate this key file crypto_keyfile.bin
at startup without entering your password (like automatic entry): → bad security
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin
If only your /home is encrypted, then adding a key file to /
is not a good idea and makes the encryption useless.
But why is /crypto_keyfile.bin
in the conf file /etc/crypttab
by default after installation?
Maybe it would be for lazy person who doesn’t want to manually enter password for decryption at boot.
We had a discussion recently about this key file: Why does the installer add a paswordless key to LUKS-encrypted partition? - #9 by winnie
However, convenience is great but why do you encrypt a partition but keep the key in an unencrypted partition? Against what are you protecting your data? Anyone with access to your physical hard disk, for which the encryption is the only protection, can just use this file to decrypt your data.
Yes, right.
Of course I used the first solution.
I already knew that a passwordless key file is bad security in an unencrypted partition, but lazy people does not think everyone knows how to crack it except computer scientists, if his device was stolen.
If you argue like that, you could also just use ext4 which is not supported right away in Windows
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.