The main idea of this solution is to have a USB key at home to easily decrypt the system, and whenever you go outside you never bring the USB key with you.

First, this is a very safe approach to decrypt a LUKS LVM setup on boot with a USB. I tested it multiple times with a VM in Ubuntu 24.04 which I broke multiple times while I was testing different approaches of outdated posts, AI suggestions, and many other sources until I found my own way. Some of these approaches were:

• initramfs hooks
• udev scripts
• /etc/crypttab keyfile parameter

This approach uses the keypass parameter of cryptsetup which is for loading keyfiles from an already mounted and unencrypted filesystem. This is ok in first sight but most of the time I see posts that show how to put the keyfile inside the boot partition (unencrypted) instead of loading it dynamically from an external source. I guess some people got tired of manually decrypting their systems and that was a way to cope with that.

In any case, the keypass parameter helps us to achieve our purpose, but we have to add more to it. For example, it doesn't include a way to mount a specific USB (e.g.: by UUID) and load the keyfile inside that USB in an error-prone manner with a fallback to the usual "Enter password" screen to enter the password manually. None of the solutions were error prone and I broke my laptop! Anyway That's why I created a script that does just that. It mounts your USB, tries to load the keyfile 3 times in a row and then in the 4th attempt it will fallback to the usual "Enter password" screen that you're accustomed to see to manually introduce your password.

Before proceeding, do a full backup of your disk (not partition, Clonezilla) and test the solution with a VM using the same Ubuntu version as yours. This way you can't complain about this solution and you can also see what has to be done first (you can simply rollback your VM in case you break it).

I will also enable the comments section below in case the script needs an update for newer versions of Ubuntu or cryptsetup.

Creating a secure keyfile

This command creates a 4MB keyfile filled with cryptographically secure binary data (non-ASCII characters),This increases the entropy per byte.

sudo dd if=/dev/urandom of=/media/usb/secure.key bs=1M count=4 iflag=fullblock

Downloading the script

Updating /etc/crypttab entries

To decrypt our system, we need to provide to /etc/crypttab the UUID of the root partition that we want to decrypt together with the /dev/disk/by-uuid path of the USB key and the path to the key file. The script reads this to know where to look for the keyfile.

Aside from that, you also have to specify the number of retries. This must always be 4, so that crypttab gives the chance to the script after 3 attempts to ask to manually enter the password (that could be considered part of the 4th attempt of the script) if for some reason the script couldn't locate the USB, or the keyfile or simply the keyfile is not correct.

To find the UUID:

Also, you have to specify the path of the keyscript that you downloaded before. This can be in any path really, I would suggest to keep it inside your home folder.

dm_crypt-0 UUID=bd5bf7de-15a1-4183-b4d4-71b7a5d3c246 /dev/disk/by-uuid/28D6-838D:/luks.key discard,keyscript=/home/filis/here.sh,tries=4

sudo chmod 0400 /path/to/keyfile sudo chown root:root /path/to/keyfile

Also, I found a way to log messages inside initramfs direcly to the kernel using /dev/kmsg , otherwise logging to any file won't work as initramfs will be purged right after boot.