Hi, I have HP Microserver with one HDD. I was installed last Debian. I'm using LVM with ecryptfs. Every time when is PC booting, i must type password. It is posible (and how) using USB flash where is save private key and when is PC booting and USB flash is connect, PC is automatically starting?

Thank you
MG

Welcome to LQ security.

You have run into one of the core problems with whole HDD encryption, booting. In order to boot, the file system needs to be decrypted. The decryption key is password protected and to do otherwise would be both foolish and would defeat the purpose of encrypting the drive. I know of no way to put your password / key on a USB stick and use that to start up, and again - you run the real risk of defeating the purpose of encryption. My initial response would be to suggest that you reconsider your approach and ask why you are encrypting the WHOLE HDD? What I am getting at is do you really care if directories like /bin, which contain system binaries that are exact duplicates of widely distributed software is encrypted or are you more concerned with your personal files located in your user's home directory. If you encrypt your home directory, it can be decrypted and mounted automatically when you log in, but the system can boot an other users (if any) can still access the system.

Edit: This subject has come up several times over the last year or so. A search of the security forum will provide you with a lot of information for research on the subject.

Encrypting the entire HDD usually isn't needed unless you're paranoid (or you don't have home partitioned).

Your solution may be installing your bootloader on the the USB with the key and configuring accordingly.

While I use LUKS without LVM it is entirely possible to set up HDD encryption to require a keyfile when booting, and to store said keyfile on a USB stick, so that boot is not possible without it plugged in. It is not complicated but does take some time and effort to implement. There are numerous HOW-TO's around the net.

The simplest approach is that mentioned by realbluntz and having your boot files and keyfile on the USB derive and booting from it.

A look through the security sub-forum, as suggested by Noway2 should yield plenty of reading material.

Why encrypt an entire drive? Because there are often bits and pieces of data stored elsewhere that can provide clues to an intruder. Some of us also don't believe in giving any advantage to a thief at all. Most drive encryption for a home user is more to protect information in case the drive is stolen than any other reason. Other reasons include work, political activity, social activism, etc.