Access Encrypted External HD on both Main/Headless Machines

Before I mess things up, figured it would be wise to ask the Linux Gurus about this.
Have a Raspberry Pi 4 running Arch-Arm, and the main system running EOS, all good and dandy.
The Pi has an external HD (4TB) that is used for backups, among other things, etc, but it is not encrypted (yet). Figured the best way to protect my data would be to encrypt said HD to be on the safe side, which brings us to the crux of the problem.

Have a general idea on how to encrypt the drive using LUKS, but would like to auto-mount it at boot, to avoid typing a password (since the Pi is headless), but also, want to mount it on the main laptop for easy access in case of traveling, troubleshooting, etc.

To sum it up:

  1. Encrypt external HD with LUKS
  2. Create key to auto-mount encrypted volume on a headless setup (Pi) and un-mount to close partition.
  3. Be able to mount encrypted HD on a different system for troubleshooting, data access, etc.

What would be the suggested course to follow here?
Looking forward to hear your suggestions :slight_smile:

You can use multiple key slots on the same luks volume. You can add a keyfile in one slot and passphrase another. Then store the keyfile on the headless machine and use it to unlock. If you want to use the drive anywhere else, use the passphrase.

The obvious downside is that anyone who gets access to both the RPi and the drive will be able to unlock it since it will auto-unlock and the keyfile isn’t stored encrypted. As long as you aren’t overly concerned about that particular attack vector, it should work fine.

That’s interesting. Well, not worried about a break-in (though it could happen).
The way I see it, the key could be stored on the Pi’s memory card, and not the HD itself, to it can reside in the /root partition, and as long as the memory card isn’t present the HD cannot be encrypted.

Not very knowledgeable about encryption, and would have to read up on it.
Perhaps you know of a good tutorial to follow, other than the ArchWiki itself?