====== Purpose ======
After installing  OpenBSD fully encrypted with keys on USB stick, let's try with Linux and Fedora 32 (that we will push to rawhide for bleeding edge experience).
As reading a non-clear text key seems largely impossible on Linux... I opted for "Honeypot OS" solution: Windows 10 on 256GB drive and Linux / on second drive with /boot on USB drive. This way  without the USB key, Only Windows boots :D
====== Hardware ======
Lenovo Thinkpad X230 Table with an m-SATA drive in the phone card slot and 500GB hard drive replaced by a 1TB SSD, 16GB RAM, Corei5 CPU.
====== Disk partitioning ======
SSD (1TB) = sda\\
m-SATA (256GB) = sdb\\
sdd = 16GB Usb Drive

^ disk ^ partition ^ type ^ size ^ mount point ^ install pass ^
| sdb | sdb* | Microsoft Crap | 256GB | |  |
| sdb | sdb2 | EFI Partition 100MB | /boot/efi| | 
| sdd | sdd1 | ext2 | 10GB | /boot |  | 
| sda | /dev/mapper/Fedora | LUKS encrypted | 1TB | | test |
| sda | sda1 | swap | 16GB | - | | 
| sdb | /dev/mapper/Fedora-fedora--root | ext4 | 915GB | / | |
====== Install ======
Using Fedora Media Writer I created a live USB with Fedora 32\\
Boot is set to "UEFI" with Microsoft "Secure boot" (LOL yes Secure and Microsoft in the same sentence) pure GPT crap on all devices \\
I first installed Windows 10 on first hard drive (m-sata 256GB)\\ 
Install goes by and when at the step of partitionning disk I choose Custom, select all devices then mount the EFI partition of the m-sata drive as /boot/efi then create /boot(ext2) on the USB key an LVM(named Fedora, encrypted) and inside create swap and / (ext4) 

I put an easy passphrase as we'll change it later and put the key on a USB drive to decrypt easily. initial pass are in the table above :-)

After reboot it will ask for swap then LVM key

Next step put the encrypted key on the USB key to avoid typing 

====== Rawhide ======
Switch to rawhide ! Rock'n roll :-)

https://fedoraproject.org/wiki/Upgrading_Fedora_using_package_manager#To_Rawhide
<code bash>
dnf upgrade
dnf install -y dnf-plugins-core fedora-repos-rawhide
dnf config-manager --set-disabled fedora updates updates-testing
dnf config-manager --set-enabled rawhide
dnf clean -q dbcache packages metadata
dnf --releasever=rawhide --setopt=deltarpm=false distro-sync --nogpg
touch /.autorelabel


====== Missing programs/repo ======
<code bash> dnf install -y htop ccze vim zsh dfc git</code>

epel
====== Fingerprints ======
<code bash>dnf install -y fprint libfprint fprint-pam</code>

====== LUKS key on usb drive ======

:!: WORK IN PROGRESS :!:\\
Reference: [[https://forums.centos.org/viewtopic.php?t=53452]]

key in /boot/trololo.key (usb drive formatted in ext2)\\

===== LUKS'key =====
add this key to the luks partition
<code bash> cryptsetup luksAddKey /dev/disk/by-uuid/<lvm luks> /boot/trololo.key</code>
===== Dracut =====
create a dracut config file to help mounting the key at early stage
<code bash> vi /etc/dracut.conf.d/usb-decrypt.conf</code>
content:
<code perl>
omit_dracutmodules+="systemd"
filesystems+="ext2"
</code>
**__Note__**: my USB drive is formatted in ext2

Re-generate initramfs
<code bash> dracut -fv</code>
===== GRUB =====
get UUID of devices to get the UUID of your USB drive
<code bash> ls -l /dev/disk/by-uuid</code>
Add in grub.cfg
<code bash> vi /boot/efi/EFI/fedora/grub.cfg</code>
add
<code perl>
rd.luks.key=/trololo.key:UUID=<UUID of USBdrive></code>

Note: the key path is relative to the device

Reboot to test

====== LUKS Keys ======
===== Generate =====
<code bash> dd if=/dev/urandom of=/boot/trololo.key bs=1 count=1024</code>

===== Failover key =====
<code bash>cryptsetup luksAddKey /dev/sda1</code>

===== cleaning keys =====
Check keys:
  * list
<code bash>cryptsetup luksDump /dev/sda1</code>
  * check one specific
<code bash>cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda2 && echo correct</code>
  * delete osolete
<code bash>
cryptsetup -v luksKillSlot /dev/sda1 0
cryptsetup -v luksKillSlot /dev/sda1 1
</code>