Boot folder on external USB pendrive, how to boot to?

Question

My machine is LUKS-encrypted and boot works a charm (asking the passphrase at launch). I want to use a keyfile on a USB pendrive, thus the user has a dongle that the user must plug to launch Linux fully. I'm mainly inspired by this answer to do so: LUKS encryption, header on a dongle USBdrive?

Well, I copied /bootand keyfile on the USB key, I have editted /etc/crypptab.

Now I want to make sure the machine will attempt to boot from the USB pendrive. I understand I have to edit /etc/fstaband I read the man and doc, but I'm totally lost.

The machine has /boot and / (FS). The USB has only /boot (+ keyfile inside, linked in /etc/crypttab).

My question is: is it possible to tell my machine "try to boot from the pendrive [this is possible I know, but next:], if impossible: fallback to the HDD (and ask for the passphrase) ? how ?

NB: I'm affraid of doing wrong with fstab and my machine then does not boot anymore.

Answer 1

Before doing anything that might make your system inoperable, make a system back-up!

You should be rightly afraid as "fallback to the hard drive" is what you have right now, without making the USB stick!

So what you're about to do by putting the ´/boot` on a USB stick, is making your system more secure and with great security comes great responsibility, so the USB key getting lost, or getting stolen or just breaking will make your system inaccessible!

So before you go ahead:

1. Make a system back-up
2. Buy another USB key equal to or larger then the one you have.
3. Make an unencrypted data back-up and store it in a vault
4. Go back here and continue what you were doing
5. dd the contents of the first USB onto the second so you have a back-up of that.
6. Test both USB keys
7. Delete the unencrypted data back-up (or just destroy the unencrypted back-up with a blowtorch!)

:-)