Hi folks,
I have Alpine Linux installed in an encrypted LUKS partition. I came across this tutorial which shows how to setup a key in a USB drive and when the drive is inserted and the computer booted, the LUKS partition auto-unlocks with the key on the USB drive.
I would like to setup the same thing but I do not have Alpine linux installed on ZFS, so I’m looking for ways to adapt the instructions.
So far, what I’ve done is:
- I’ve setup the key on the usb stick and I can unlock the LUKS partition with that key.
- create a /etc/mkinitfs/features.d/usb-unlock.shscript with the following content:
(the echo to /dev/kmesg was to check whether the script did indeed run at boot by trying to print to the kernel messages but I can’t find anything in the kernel messages).
#!/bin/sh
echo "usb-unlock script starting..." > /dev/kmsg
USB_MOUNT="/mnt/my-usb-key" # The USB stick mounting point
LUKS_KEY_FILE="awesome.key"  # The name of your keyfile on the USB stick
# Search for the USB stick with the key
for device in $(ls /dev/disk/by-uuid/*); do
    mount $device $USB_MOUNT 2>/dev/null
    if [ -f "$USB_MOUNT/$LUKS_KEY_FILE" ]; then
        # Unlock the LUKS partition
        cryptsetup luksOpen /dev/sda3 cryptroot \
            --key-file "$USB_MOUNT/$LUKS_KEY_FILE" && exit 0
    fi
    umount $USB_MOUNT
done
echo "No USB key found, falling back to password prompt." # this message never appears, despite not having found the key on the usb stick
echo "usb-unlock script ending." > /dev/kmsg
- I added usb-unlockto thefeaturesinmkinitfs.conf:
mytestalpine:~# cat /etc/mkinitfs/mkinitfs.conf 
features="ata base ide scsi usb virtio ext4 cryptsetup keymap usb-unlock"
- run mkinitfsto rebuild the initramfs. Then reboot to test the implementation, which was unsuccessful.
What am I missing / doing wrong? Thank you for your help!
Edit: forgot to add step 4


That may be an option, but for the time being, I’m not even sure how to start debugging this. I have no idea where to start looking. I don’t even know if the
usb-unlock.shscript is even running at boot. Any thoughts?Just a sanity check because I’ve totally done this before: did you make the script file executable?
Good point. Yes it is.