Using a USB key instead of a password


When a libvirt hypervisor has to be rebooted and its root disk is encrypted, typing a password is often inconvenient when there is no keyboard and screen attached to it. Instead the password can be stored in a USB key that is plugged in during the reboot process and removed when the reboot is complete.

It relies on the passdev script.

The USB key needs an ext4 partition that can be created with gnome-disks:


And the password file added to it with:

echo -n supersecret > /media/loic/password/password.txt

On the machine with the encrypted disk replace the line that looks like this in /etc/crypttab

sda5_crypt UUID=1327ebfe-3369-4409-bfff-93dd088241fd none luks,discard

With another that looks like this:

sda5_crypt UUID=1327ebfe-3369-4409-bfff-93dd088241fd /dev/disk/by-label/password:/password.txt:15 luks,discard,keyscript=/lib/cryptsetup/scripts/passdev

initramfs must be updated as follows:

$ update-initramfs -k all -u


1 Like