This post shows some options for unlocking additional LUKS encrypted volumes automatically (on Antergos, but most of it should apply to other distros). It assumes that you already have your root filesystem on LUKS and want to add a encrypted none root volume.
I’m also using systemd-boot with a none encrypted boot/EFI partition.
Unlock second device with key on first device
In this setup, the first device will be unlocked with password, and the second device with a keyfile inside that first encrypted volume.
A LUKS partition can have up to 8 different keys. So you don’t have to ditch your password for a keyfile, you can have both (or 8 to be more precise ;) ).
- add a key to existing LUKS partition
1
2
3
4
5
6# generate random key with 4kB
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
# set to read only for root
sudo chmod 0400 /root/keyfile
# add the key to the existing LUKS (prompts for existing passphrase of that LUKS)
sudo cryptsetup luksAddKey /dev/sdX /root/keyfile
More about this here: https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
add second (none root) drive to crypttab
1
crypt2 UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a /root/keyfile luks,discard
check hooks in /etc/mkinitcpio.conf
1
HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck"
Note: This setup did not work with systemd-hooks (sd-encrypt)
add the new device to fstab, if it should also be mounted automatically
rebuild initramfs
1
sudo mkinitcpio -p linux
make sure you know how you can get back into your system to fix things if something went wrong and the boot is broken!
reboot (read on first)
Troubleshooting: System hangs at boot now
If the second unlocked volume contains an LVM, there could be a problem with pvscan, that makes the boot hang.
See this bug report: https://bugs.archlinux.org/task/41833
A workaround for this is to:
copy udev rule (to override default so that update does not break the workaround)
1
cp /lib/initcpio/udev/69-dm-lvm-metad.rules /etc/udev/rules.d/
remove “–background” from pvscan call
1
RUN+="/usr/bin/lvm pvscan --cache --activate ay --major $major --minor $minor", ENV{LVM_SCANNED}="1"
The above solution is the one that after a lot of trial and error worked for me.
Below are some other things I tried, they required to enter multiple passwords or did not work if the root filesystem is also on encrypted, but maybe it is also helpful to see what does not work.
Unlock with two password promts
add drives in /etc/crypttab.initramfs (NOTE: not crypttab but crypttab.initramfs, only those are unlocked by the initramfs)
1
2cryptAntergos UUID=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd main luks,discard
cryptDevelop UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a main luks,discardadapt /boot/loader/entries/antergos.conf
1
options luks.uuid=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd luks.uuid=f2ee83ef-a828-4a84-a150-2ffd781b495a root=/dev/mapper/AntergosVG-AntergosRoot rw quiet
in /etc/mkinitcpio.conf change the hooks to systemd hooks “encrypt” to “sd-encrypt” and add “systemd” hook before it (also lvm2 -> sd-lvm2 and keymap -> sd-vconsole)
1
HOOKS="base systemd autodetect modconf block keyboard sd-vconsole sd-encrypt sd-lvm2 filesystems fsck"
rebuild initramfs
1
sudo mkinitcpio -p linux
sd-encrypt may gain the ability to cache a password in the future (so that the same password would not have to be entered twice), but does not seam to have this yet (not sure )
Systemd cryptsetup documentation: https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
Unlock two none root LUKS volumes with the same password
- use non-systemd hooks in mkinitcpio.conf
- in crypttab add “keyscript=decrypt_keyctl”
1
2cryptAntergos UUID=dfe2737b-fbc3-4aa0-9851-c8eff0c76abd main luks,discard,keyscript=decrypt_keyctl
cryptDevelop UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a main luks,discard,keyscript=decrypt_keyctl
See also (for alternative “encrypt” hooks):
Thank you for reading, I hope that it was helpful, despite the lacking detailed descriptions :)
This work is licensed under a Creative Commons Attribution 4.0 International License.