Arch Linux : Decrypt system drive with USB Key and Keyfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Arch Linux : Decrypt system drive with USB Key and Keyfile


arch linux, 1 hdd for root, 1 hdd for home, UEFI and GRUB.

USB Stick with 2 Partitions

/dev/sdb1	ext4		1MB	small partition for keyfile
/dev/sdb2	ext4 | fat	rest	remaining space for data

udev rule ensures that this stick is always named /dev/usbkey /dev/usbkey1 and /dev/usbkey2
  1. Prepare USB Srick: create partitions, make filesystems, create labels

    lsblk --> assume stick is /dev/sdb

    commands for fdisk /dev/sdb:

     Enter (default 1)
     Enter (default 2)
     mkfs.ext4 /dev/sdb1
     mkfs.ext4 /dev/sdb2

Label the USB stick depends on which filesystem you want: check:

e2label /dev/sdb1 USBKEY
e2label /dev/sdb2 USBDATA
  1. Create udev rule for the usb stick

Show serial number of usb stick:

udevadm info -a -p `udevadm info -q path -n /dev/sdb` | grep ATTRS{serial}

check product name:

udevadm info -a -p `udevadm info -q path -n /dev/sdb` | grep ATTRS{product}

Create udev rule file in /etc/udev/rules.d/:

touch /etc/udev/rules.d/50-myusb.rules

Use for ATTRS{serial} the determined serial number from the above steps.

Add to /etc/udev/rules.d/50-myusb.rules (SYMLINK is the devicename):

SUBSYSTEMS=="usb", ATTRS{serial}=="14AB0000000096", KERNEL=="sd*", SYMLINK+="usbkey%n"

Reload udev rules:

udevadm control --reload-rules

Now your USB stick is known as /dev/usbkey, /dev/usbkey1, /dev/usbkey2 You can check this with:

ls /dev/usbkey*
  1. Write Keyfile to /dev/sdb1 and add the keyfile to a channel for luks decrypt

     mkdir /mnt/usbkey
     mount /dev/usbkey1	/mnt/usbkey
     dd if=/dev/urandom of=/mnt/usbkey/archkey bs=512 count=4

    Enable keyfile decryption for your system drive /dev/sda2:

     cryptsetup luksAddKey /dev/sda2 /mnt/usbkey/archkey 

    Add the udev rule to /etc/mkinitcpio.conf:


    Check HOOKS="..." contains block before encrypt.

    Create new:

     mkinitcpio -p linux
  2. Adjust GRUB to use the keyfile on the USB stick

    Edit /etc/default/grub:

     vim /etc/default/grub

    Append to GRUB_CMDLINE_LINUX="...":


    E.g.: (notice that You have to use your specified name in udev rule. NOT /dev/sdb1 !)

     GRUB_CMDLINE_LINUX=" ... cryptkey=/dev/usbkey1:ext4:archkey"