====== 2016-12-04 - multi-disk encryption ======

{{ :blog:2016:12:04:ssd.jpg?350|SSD}}
{{ :blog:2016:12:04:hdd.jpg?300|HDD}}
some time ago i had an issue -- i started to use ([[wp>RAID|RAIDed]]) [[wp>SSD]] disks for main system and (also [[wp>RAID|RAIDed]]) [[wp>Hard disk drive|HDD]] disks for storage of larger pieces of data. of course both encrypted. and that's the tricky place -- entering password for both disks at boot time!

if i already have main disk encrypted, cannot i just read password off it, to automatically decrypt the second one? it turns out you can. :)

<code bash>
dd if=/dev/random of=/path/to/key.bin bs=4096 count=1
cryptsetup luksFormat /dev/my-disk /path/to/key.bin
</code>

now the last part is to add a proper entry to //crypttab//, so that disk automatically gets decrypted during boot (shortly after "/" gets decrypted). add entry like this, to the /etc/crypttab file:

<code>
my_crypt_dev_2 UUID=xxx-xxx-xxx-xxxx /path/to/key.bin luks
</code>

you can check [[wp>UUID]] for oyur disks, by checking out links in [[wp>udev]]:

<code bash>
ls -l /dev/disk/by-uuid/
</code>

note that eve though you can now automatically decrypt 2nd disk with off-disk password file, it's still good idea to assign password to it (eg. in case you loose access to the password-file). fortunately [[wp>LUKS]] offers multiple passwords out of the box, so this is not a problem. :)

<code bash>
cryptsetup luksAddKey --key-file /path/to/key.bin /dev/my-disk
</code>

happy encrypting! :)