I’ve added a second hard drive to my machine and would like to encrypt it and have it mounted/decrypted along with my current drive when I enter my password at initial boot. My previous attempts didn’t work and I’m hoping someone can point me in the right direction.
My current setup, created with the installer, is an unencrypted boot partition with the remaining partitions (swap, root, home) being LUKS1 encrypted and formatted as btrfs. As I understand from this issue, GRUB passes my typed password to the OS, since I never made a keyfile. If I also want to use this feature on the second drive, am I correct to think (based on my reading) that the new drive has to be LUKS1 and not LUKS2? If so, how do I go about this (e.g., from the YaST partitioner or from GRUB settings itself)? If this won’t really work or if it is more advisable to use LUKS2, is there a way to make a keyfile but place it somewhere on the encrypted partition of my original drive, such that it kicks in after my original drive decrypts?
I played around with this quite a bit myself, but after eventually messing things up in /etc/crypttab and /etc/fstab to the point that I locked myself out of booting and needed a rescue USB to restore my system (an educational but stressful experience), I thought I should ask for help. Any advice is greatly appreciated.
Instead of very vague description you should have shown your actual configuration. Something like
lsblk -f
would be a good start.
You have not shown any information about what you did, so we cannot guess what went wrong.
Only for the device containing /boot which is on the root filesystem by default. And you mentioned swap that already does not fit here.
No, GRUB does not care about anything else and does not setup decryption of anything else.
Yes. You make keyfile and place it on the (root) filesystem on your encrypted partition. I am not sure I understand the question.
Then show your current /etc/crypttab and /etc/fstab and what you intend to add to them and we can check if these additions are OK or suggest how they need to be changed.
Thank you very much for the feedback and helpful notes. I’ve seen other forum cultures where too much detail in the first post was frowned upon, so my intent was to leave things open to find out what needed elaboration.
Though it may seem simple, confirming for me that GRUB does not setup decryption was actually a huge help… I think I focused too much on the issue linked in my first post, and was concerned by not knowing whether potential GRUB updates had obsoleted the SDB instructions or not.
After reading your post, I began the process of re-attempting the setup and meticulously documenting it to post here, and this time I was actually successful. The reassurance that I should just try to set up a keyfile was great; I think my error last time was in arbitrarily experimenting with fstab and crypttab, without realizing I could hang up the system on boot.
Sorry for the double post, but the edit time had expired and it occurred to me that it might help anyone searching the forum in the future if I summarize my steps and include links to the sources I used. I don’t declare this to be best practice, but it worked for my use case:
I found the name of the new drive using lsblk -f, as mentioned above. In YaST partitioner, I selected it and pressed “Edit”. I selected “Raw Volume (unformatted)” for “Role” and then chose the settings I wanted (in my case, I formatted as Btrfs, checked “Encrypt Device”, checked “Mount Device”, mounted in /etc/fstab by UUID, and mounted as /extra). I chose LUKS 2 during the encryption setup and used the same password as my first drive.
After confirming the changes, I gave my user ownership of the mount point (see also this thread) by running:
sudo chown -R username /extra (replacing username with your username and /extra with your mount point)
I then followed the SDB instructions for creating a key file here. When editing /etc/crypttab, I added not only /.root.key but x-initrd.attach as well in the fourth column (the SDB has x-initrd.attach as well but technically only instructs you to add /.root.key to the third column).
And it is unlocked automatically? This option adds this LUKS device to the initrd, but initrd does not normally has key, you need to arrange for that additionally. Of course, if you use the same key for multiple LUKS devices and already added it to the initrd for some other device it will appear to work.
Initrd should handle only those devices that are needed to access and mount root filesystem. Adding more stuff to it just complicates configuration and makes it more error prone.