It works flawlessly. I modified the partitioning to the disk so a large portion of a disk was used as a LUKS encrypted ext4 filesystem, unlocked with a keyfile.
This works but since I chose the /root directory for storage of the keyfile, it is now stored on the external drive. Are there any directory I can store the keyfile that is not part of the extroot? I want the keyfile to be stored on the internal flash, but still be accessed when the external drive is plugged in.
I know, I just want to protect the data in case someone take the flash drive. I dont want to have the keyfile in plain text on the unencrypted extroot partition on the flash drive itself. I am OK with having it in unencrypted file on the internal flash, so it takes at least a little bit more skill to dump the filesystem that way than just plugging it in to a computer and unlock it right away. Most thieves do not have that skill, and this is my threat model.
I red the question. You can mount old /overlay jffs2 somewhere else, but if you ever intend to sysupgrade it is more practical to have "default" layout and mount USB as extra storage.
You certainly need kmods in overlay (or squash) , then library path can be added, though still better in the base combination, autostart items need to be in base system, but heavy commands can be installed in default mem -> /tmp or into USB storage.
Say you can squeeze a bit franken-docker this way into "16MB flash"
You could write a script for rc.local that will unlock the drive then mount it. Before the drive is mounted of course all the files including where you store the key are from internal flash. They then become inaccessible by mounting the external drive overtop of /.