Unlocking an encrypted installation using thumb drive

I am interested in unlocking my encrypted Manjaro installation using a USB disk drive. I have read many tutorials and either they are dated or not very concise. If anyone can lend a hand, I am more than eager to listen.


That’s pretty vague.
What did you try that didn’t work for you?
I’d try the Arch wiki on how to set up an encrypted device.

… if it is a LUKS encrypted volume, the command to use to unlock it is
cryptsetup open …

I have not tried anything as I don’t want to brick my new installation. I was hoping someone had a modern, proven method to unlock a fully encrypted installation with a USB thumb drive upon boot, kind of like needing a key to get into a house. What I would like to do is, insert thumb drive into machine, turn machine on, have the machine recognize the thumb drive is present, use a secret key on that thumb drive to decrypt the root volume and finish boot to UI. As a backup, if thumb drive is not present when machine is powered on, ask for password to decrypt and then finish boot.

There is an Arch wiki covering this but it details so many different scenarios and methods in one article, it’s a bit overwhelming and not very concise. There are approaches using different distros but it’s hard, at least for me to translate an approach for Fedora to Manjaro. I prefer Manjaro as I find it more versatile, evolved and maintained versus other distributions.

Thanks in advanced…

Ah - so I misunderstood what you wanted to do.
I thought you just wanted to use the thumb drive to boot a live system and then access the encrypted drive from there …

As you said, the Arch wiki describes how to prepare a USB thumb drive with the key to unlock the encrypted partition(s).

I, personally, found this method impractical,
because I’d surely some day lose my thumb drive - or it will break or otherwise not function.

I don’t know whether it is easy to combine both methods as you seem to want to do.

It seems redundant and overly complex

and doesn’t add any value or added security -
as the installation can already boot without the key on the thumb drive.

But that is just my opinion.

… and: I can’t help you in achieving this - sorry!

Thank you anyways though!

Totally possible, just use

$ cryptsetup luksAddKey ...

to add multiple keys to your cryptdevice (one being the keyfile on the usb drive, another one being the password).

Try to get your head around this anyways, as this will be your system you’re setting up here.
Any screwup can lead to loss of data due to not being able to open/decrypt the encrypted device.

You don’t have to start with your system partition, just create an encrypted device in a file to practice and test. for example:

$ truncate /tmp/test-file --size 100M
$ cryptsetup luksFormat /tmp/test-file
$ sudo cryptsetup open /tmp/test-file test-encrypted
$ sudo mkfs -t ext4 /dev/mapper/test-encrypted
$ sudo cryptsetup close test-encrypted
$ cryptsetup luksAddKey /tmp/test-file /path/to/key-file

Now the cryptdevice residing in /tmp/test-file can be opened either via passphrase (given on creation) or via --key-file /path/to/key-file.


Awesome! I did the as you instructed and it was a success! I will go back to the Arch wiki and try to wrap my head around it. This was very helpful to me and I appreciate it!