edit: funny you asking that though; I remember asking myself the same when reading it the first time and skipping the fedora instructions in there.
]]>Not that I know of. The key must be in an unencrypted medium so it can be read in order to unlock the encrypted volume.
There is one way you can do something like that, if your machine has a TPM chip. There is an extension for cryptsetup which stores the luks-key in the TPM chip. On boot the passphrase unlocks it and thereby the partition. If you take the drive out the machine, it is useless/encrypted.
You find it here: https://github.com/shpedoikal/tpm-luks
It is linked to from the cryptsetup FAQ too btw. I wanted to try it myself sometime actually (to use that tpm chip at least once..), but did not get to it yet.
Apart from that the Arch wiki has links to threads about encrypting the key-file itself. So while you might have to keep it on an unencrypted medium, you still need a passphrase to use the key.
]]>Not that I know of. The key must be in an unencrypted medium so it can be read in order to unlock the encrypted volume.
This is what I forgot
]]>Say you have a hard drive with 2 partitions, one for /boot which would be unencrypted and one for / which would be encrypted.
So this hardrive can boot and it has arch on it.
I imagined something like this:
When the hardrive is being used to boot arch which is installed on it, LUKS/dm-crypt would use a key file stored on the encrypted partition to allow it to boot to login screen, and so no interaction would be required from boot, you are then relying on strong passwords to protect your data I guess
Then, if that hardrive were to be plugged into another computer say as an external drive, it would not be accessible unless you provided a password or another key file, as it would not read the key file stored on the encrypted partition.
Is this possible at all to setup? I've done a bit of googling, found nothing.
I think what I've written makes sense