I have a fairly standard disk encryption setup in Debian 5.0.5: unencrypted /boot partition, and encrypted sdaX_crypt that contains all other partitions.
Now, this is a headless server installation and I want to be able to boot it without a keyboard (right now I can boot it only with a keyboard and a monitor attached).
So far I have an idea of moving /boot partition to an USB drive and make slight modifications to auto-enter the key (I think there is just a call to askpass in the boot script somewhere). This way I can boot headless, just need to have a flash drive in at boot time.
As I see it, the problem with it is that
- I need to invest time into figuring out all bits and pieces to make it work,
- If there is an update, which regenerates
initrd, I need to regenerate the boot partition on the USB, which seems tedious.
The question: is there a standard low-upkeep solution available for what I want to do? Or should I be looking elsewhere altogether?
Best Answer
You can setup your system to require a key instead of a password and change some scripts to search for this key on a USB stick. I found a detailed explanation for this process on Debian Lenny. There are some notes in the end that describe necessary changes for newer versions of Debian.