• 7 Posts
  • 456 Comments
Joined 2 years ago
cake
Cake day: July 8th, 2023

help-circle



  • I’m not sure about the details but as far as I know luks has a long internal key that is used to encrypt the whole drive. This master key is encrypted with your passphrase and that encrypted key is stored on the drive.

    When you add a file as a key the master key is encrypted using the binary contents of that file and stored as well. The contents of the file are basically an additional pass phrase.

    So when it tries to decrypt the drive at boot it first tries to use the key file you give it. When that fails it asks for the pass phrase.

    When you made the file EncryptedSD.txt it did not contain the same binary data as the pass phrase you created. Probably due to an additional newline or two. To get around that you add the whole file as it is as a valid decryption key.

    Often people might create an extra long key on an extra USB stick. Or if you want to decrypt the drive automatically with the option of setting up a pass phrase later you can initially create the volume only with a key file stored on the boot drive or so.