One password to mount two encrypted HDD

Hi

I’ve read the wiki page about mounting encrypted partitions but without success.

Here is what I’ve done so far.

  1. Fresh install of Tumbleweed on the SSD (sda) with LVM and LUKS with default layout created by the installer as described on the wiki page:
>sda                                                          8:0    0 111.8G  0 disk  
├─sda1                                                       8:1    0     8M  0 part  
└─sda2                                                       8:2    0 111.8G  0 part  
  └─cr_ata-Samsung_SSD_840_EVO_120GB_S1D5NSBDA60830Z-part2 254:0    0 111.8G  0 crypt 
    ├─system-root                                          254:1    0 100.1G  0 lvm   /var
    │                                                                                 /usr/local
    │                                                                                 /srv
    │                                                                                 /root
    │                                                                                 /opt
    │                                                                                 /home
    │                                                                                 /boot/grub2/i386-pc
    │                                                                                 /boot/grub2/x86_64-efi
    │                                                                                 /.snapshots
    │                                                                                 /
    └─system-swap                                          254:2    0  11.7G  0 lvm   [SWAP]
  1. So far so good. GRUB is asking for password expected.

  2. Now lets add a second HDD, also encrypted with LUKS, XFS file system, one volume with size of the entire HDD (sdb) created with yast partitioner:

>sdb                                                          8:16   0 447.1G  0 disk  
└─sdb1                                                       8:17   0 447.1G  0 part  
  └─sdb1                                                   254:3    0 447.1G  0 crypt /media/Kingston500
  1. At this moment GRUB is asking for password and then, playmouth or SDDM is asking to enter password for the second hard drive (sdb). If correct password is entered I’m at the SDM promted to enter user credentials.
    The issue here is that I want to enter only one password to decrypt all hard drives (sda and sdb)

  2. Acording to wiki page I’m then:

  • creating a key file at /keyfile
  • bind the key file to sdb (HDD) partition
sudo cryptsetup luksAddKey /dev/sdb1 /keyfile
  • modifying the /etc/crypttab to add entry for sdb (the HDD)
cr_ata-Samsung_SSD_840_EVO_120GB_S1D5NSBDA60830Z-part2  UUID=6ea73192-534f-46ed-905d-e19875506684  /keyfile  x-initrd.attach
sdb1     /dev/disk/by-uuid/7fbad306-7fd3-4e97-bb45-f49bf61b579f  /keyfile  luks x-initrd.attach

  • create sdb entry to the /fstab (only sdb related entry shown below):
/dev/mapper/sdb1  /media/Kingston500     xfs    defaults               0       2
  • add the key file to the initrd
 echo -e 'install_items+=" /keyfile "' | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null
  • Rebuild the initrd
sudo dracut -f

Note:
I’m using the same password for sda, sdb, /keyfile and user account.
However, I’m still prompted for two decryptiong passwords, once at the GRUB (which is fine) and just before the SDDM to decrypt the sdb (second hard drive) which i’m truing to decrypt with keyfile instead.

What could be wrong or missing?

I’ve followed multiple tutorials (targeting other distors as well as tumbleweed itself), they do almost every step the same beside add key to the initrd with dracut which I always did. But so far no success.

These are 5 fields. The /etc/crypttab line only has 4 fields.

Is this filesystem need to access root filesystem? If not, you do not need to add it to the initrd. See also Can't shake the second password prompt on boot

1 Like