Unlock Second LUKS Volume Automatically

This post shows some options for unlocking additional LUKS encrypted volumes automatically (on Antergos, but most of it should apply to other distros). It assumes that you already have your root filesystem on LUKS and want to add a encrypted none root volume.
I’m also using systemd-boot with a none encrypted boot/EFI partition.

Unlock second device with key on first device

In this setup, the first device will be unlocked with password, and the second device with a keyfile inside that first encrypted volume.
A LUKS partition can have up to 8 different keys. So you don’t have to ditch your password for a keyfile, you can have both (or 8 to be more precise ;) ).

  • add a key to existing LUKS partition
    # generate random key with 4kB
    sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
    # set to read only for root
    sudo chmod 0400 /root/keyfile
    # add the key to the existing LUKS (prompts for existing passphrase of that LUKS)
    sudo cryptsetup luksAddKey /dev/sdX /root/keyfile

More about this here: https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

  • add second (none root) drive to crypttab

    crypt2    UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a       /root/keyfile    luks,discard
  • check hooks in /etc/mkinitcpio.conf

    HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck"

Note: This setup did not work with systemd-hooks (sd-encrypt)

  • add the new device to fstab, if it should also be mounted automatically

  • rebuild initramfs

    sudo mkinitcpio -p linux
  • make sure you know how you can get back into your system to fix things if something went wrong and the boot is broken!

  • reboot (read on first)

Troubleshooting: System hangs at boot now

If the second unlocked volume contains an LVM, there could be a problem with pvscan, that makes the boot hang.
See this bug report: https://bugs.archlinux.org/task/41833

A workaround for this is to:

  • copy udev rule (to override default so that update does not break the workaround)

    cp /lib/initcpio/udev/69-dm-lvm-metad.rules /etc/udev/rules.d/
  • remove “–background” from pvscan call

    RUN+="/usr/bin/lvm pvscan --cache --activate ay --major $major --minor $minor", ENV{LVM_SCANNED}="1"

The above solution is the one that after a lot of trial and error worked for me.
Below are some other things I tried, they required to enter multiple passwords or did not work if the root filesystem is also on encrypted, but maybe it is also helpful to see what does not work.

Unlock with two password promts

  • add drives in /etc/crypttab.initramfs (NOTE: not crypttab but crypttab.initramfs, only those are unlocked by the initramfs)

    cryptAntergos   UUID=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd       main    luks,discard
    cryptDevelop UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a main luks,discard
  • adapt /boot/loader/entries/antergos.conf

    options luks.uuid=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd luks.uuid=f2ee83ef-a828-4a84-a150-2ffd781b495a root=/dev/mapper/AntergosVG-AntergosRoot rw quiet
  • in /etc/mkinitcpio.conf change the hooks to systemd hooks “encrypt” to “sd-encrypt” and add “systemd” hook before it (also lvm2 -> sd-lvm2 and keymap -> sd-vconsole)

    HOOKS="base systemd autodetect modconf block keyboard sd-vconsole sd-encrypt sd-lvm2 filesystems fsck"
  • rebuild initramfs

    sudo mkinitcpio -p linux

sd-encrypt may gain the ability to cache a password in the future (so that the same password would not have to be entered twice), but does not seam to have this yet (not sure )

Systemd cryptsetup documentation: https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html

Unlock two none root LUKS volumes with the same password

  • use non-systemd hooks in mkinitcpio.conf
  • in crypttab add “keyscript=decrypt_keyctl”
    cryptAntergos   UUID=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd       main    luks,discard,keyscript=decrypt_keyctl
    cryptDevelop UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a main luks,discard,keyscript=decrypt_keyctl

See also (for alternative “encrypt” hooks):

Thank you for reading, I hope that it was helpful, despite the lacking detailed descriptions :)

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.