#!/bin/bash set -e # The script will exit if a command fails. read -r uuid usbmntpt <<< $(lsblk -o UUID,MOUNTPOINT | grep media) mntdest="$usbmntpt/mykeyfile" uuiddest="/dev/disk/by-uuid/$uuid:/mykeyfile" sudo dd bs=1M count=4 if=/dev/urandom of=$mntdest iflag=fullblock sudo chmod -v 0400 $mntdest device=$(sudo blkid --match-token TYPE=crypto_LUKS -o device) sudo cryptsetup luksAddKey $device $mntdest sudo cryptsetup luksOpen --test-passphrase --key-file $mntdest $device sudo cp /etc/crypttab /etc/crypttab.original sudo sed -i "s|none|$uuiddest|g" /etc/crypttab sudo sed -i "s|$|,discard,keyscript=/lib/cryptsetup/scripts/keyscript.sh,tries=4|" /etc/crypttab sudo wget -O /lib/cryptsetup/scripts/keyscript.sh \ https://raw.githubusercontent.com/filisko/cryptsetup-usb-keyscript/main/src/keyscript.sh sudo chown root:root /lib/cryptsetup/scripts/keyscript.sh sudo chmod 755 /lib/cryptsetup/scripts/keyscript.sh sudo update-initramfs -u echo "If all went well restart your computer." [[https://filis.me/posts/how-to-decrypt-a-luks-setup-with-a-pendrive]]