Adding a second disk to a encrypted setup

Hi,

I have the following setup:

  • a single disk ( /dev/sda ) with a /boot /dev/sda1 partition and /dev/sda2 LVM partition ( /dev/system )
  • /dev/sda2 is encrypted ( LUKS ) and unlocked at boot
  • /dev/system has three logical volumes : home ( XFS ) , root ( BTRFS ) and swap

I’d like to add another disk to the mix, and minimally make sure that I can unlock it at the same time, without entering a second password. Ideally I can use it for the same volume group ( old disk will keep the root and swap volumes, new disk will have the home volume ), but that would be for later.

How can I add a second disk to this encrypted setup?

Thanks,

Robert

Adding second encrypted container is easy, but I’m not sure it will be possible to implement “single signon”. What may be possible is to place key on the first encrypted disk so that second won’t ask for password at all. It could require some fiddling with dependencies though.

I currently have three disks on my desktop.

/dev/sda : mostly Windows.
/dev/sdb: entirely linux, including an encrypted LVM
/dev/sdc: entirely linux. There’s an encrypted LVM, and there’s a second encrypted partition.

I only give one encryption key during boot, and all are unlocked.

As far as I know, this requires:
all encrypted partitions use the same key;
all are listed in “/etc/crypttab”
plymouth is running during boot.

If I disable plymouth, then I get a separate prompt to decrypt each. I’m not sure of the details, but I think plymouth grabs the requests to decrypt. It prompts for the first, then tries that as an answer for the others.

The other alternative is to put the encryption key for the second and third partitions into files on the first partition. And then give the path name in “/etc/crypttab”.

I have not tried this with an LVM that spans several disks, but I assume that plymouth would still handle it.

On 2015-07-21 17:56, nrickert wrote:

> If I disable plymouth, then I get a separate prompt to decrypt each.
> I’m not sure of the details, but I think plymouth grabs the requests to
> decrypt. It prompts for the first, then tries that as an answer for the
> others.

Yes, correct.

> The other alternative is to put the encryption key for the second and
> third partitions into files on the first partition. And then give the
> path name in “/etc/crypttab”.

This is what I do. You do not to replace the password, but add another
one, that is in fact a file with random content, kept on the partition
that is decoded first. But I don’t use LVM.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))