I have luks set up on my server and it is kind of annoying to type the password at reboots (mostly power outages). Strictly speaking I do not need the luks, but I feel its good to have anyway. I was thinking of getting a yubikey and just leaving it on or at least telling a trusted family member where to get it and to plug it in when turning it on.
Has anyone over come a similar set up or issue?
For some clarity I am not a pro and the homelabing is mostly just a learning experience for me.
I have not used a yubikey for boot stuff as you describe, I am a fan in general though.
That said, I have a setup on my servers where there is full disk encryption and a password stored on a random file in a thumb drive or SD card of each machine. If the file / drive is removed I can always type a manual password as well to complete booting. And if I need to do a clean wipe I just delete the keys or intentionally corrupt that sector of the drive, instead of having to do forensic cleaning.
I’ve been mulling over this very idea for years, but I just haven’t gotten around to putting it into practice. Could you tell me how it works for you?
I recently finished setting this up on my system after having a plan to do it for years beforehand and never following through. It turned out to be quite a bit easier than I thought; LUKS has built-in support for keyfiles, so all you have to do is add the keyfile as a valid key for your disk, then modify the mount options to use the keyfile by default. There’s a dedicated option to fail over to password-based authentication as well.
The wagie in me likes this. Was it particularly difficult to set?
Not at all. Pretty sure I got the instructions from Arch wiki, typical passfile setup just a slightly unusual path