2016-12-04 - multi-disk encryption

some time ago i had an issue – i started to use (RAIDed) SSD disks for main system and (also RAIDed) HDD disks for storage of larger pieces of data. of course both encrypted. and that's the tricky place – entering password for both disks at boot time!

if i already have main disk encrypted, cannot i just read password off it, to automatically decrypt the second one? it turns out you can. :)

dd if=/dev/random of=/path/to/key.bin bs=4096 count=1
cryptsetup luksFormat /dev/my-disk /path/to/key.bin

now the last part is to add a proper entry to crypttab, so that disk automatically gets decrypted during boot (shortly after “/” gets decrypted). add entry like this, to the /etc/crypttab file:

my_crypt_dev_2 UUID=xxx-xxx-xxx-xxxx /path/to/key.bin luks

you can check UUID for oyur disks, by checking out links in udev:

ls -l /dev/disk/by-uuid/

note that eve though you can now automatically decrypt 2nd disk with off-disk password file, it's still good idea to assign password to it (eg. in case you loose access to the password-file). fortunately LUKS offers multiple passwords out of the box, so this is not a problem. :)

cryptsetup luksAddKey --key-file /path/to/key.bin /dev/my-disk

happy encrypting! :)