Luks a second physical disk

Hello, I’m trying to follow the process describe here : New user, disk encryption(second drive) question - #5 by nutcracker for using a second drive with luks.

I’have manage to do all the first step, but now when I do sudo cryptsetup luksAddKey /dev/nvme0n1 /crypto_keyfile.bin I have the following error message (after entering my password) : Failed to open key file.

This is the right password because when I enter a wrong one I have this error : No key available with this passphrase..

I have the following setup so far :

➜  ~ sudo cat /etc/crypttab | grep -v "#"
luks-a725650d-253a-4132-906b-dadfaa5694f4 UUID=a725650d-253a-4132-906b-dadfaa5694f4     /crypto_keyfile.bin luks
luks-aa860854-c524-47f8-a712-2f47ac75590a UUID=aa860854-c524-47f8-a712-2f47ac75590a     /crypto_keyfile.bin luks

➜  ~ sudo cat /etc/fstab | grep -v "#"
UUID=4184-1709                            /efi           vfat    fmask=0137,dmask=0027 0 2
/dev/mapper/luks-a725650d-253a-4132-906b-dadfaa5694f4 /              ext4    noatime    0 1
/dev/mapper/luks-aa860854-c524-47f8-a712-2f47ac75590a swap           swap    defaults   0 0
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0

➜  ~ sudo blkid
/dev/mapper/luks-aa860854-c524-47f8-a712-2f47ac75590a: LABEL="swap" UUID="292153c2-6238-457e-8779-319902715d51" TYPE="swap"
/dev/mapper/luks-a725650d-253a-4132-906b-dadfaa5694f4: LABEL="endeavouros" UUID="a531319c-7401-49f0-8854-1cb8ea7b7f65" BLOCK_SIZE="4096" TYPE="ext4"
/dev/nvme1n1p2: UUID="a725650d-253a-4132-906b-dadfaa5694f4" TYPE="crypto_LUKS" PARTLABEL="endeavouros" PARTUUID="ed6c5b29-7ade-4294-a1fe-44178a0ccfe9"
/dev/nvme1n1p3: UUID="aa860854-c524-47f8-a712-2f47ac75590a" TYPE="crypto_LUKS" PARTUUID="43aa16e8-e01a-4ff8-ab1d-16b2f9cf3b1f"
/dev/nvme1n1p1: UUID="4184-1709" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="d1313594-55b4-4398-97c3-7c4bd53fefd7"
/dev/nvme0n1: UUID="269d9581-c858-4323-b207-0c041034fd16" TYPE="crypto_LUKS"
➜  ~ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme1n1                                       259:0    0 465,8G  0 disk  
├─nvme1n1p1                                   259:2    0  1000M  0 part  /efi
├─nvme1n1p2                                   259:3    0 447,9G  0 part  
│ └─luks-a725650d-253a-4132-906b-dadfaa5694f4 254:0    0 447,9G  0 crypt /
└─nvme1n1p3                                   259:5    0  16,9G  0 part  
  └─luks-aa860854-c524-47f8-a712-2f47ac75590a 254:1    0  16,9G  0 crypt [SWAP]
nvme0n1                                       259:1    0 465,8G  0 disk  
➜  ~ sudo cryptsetup luksDump /dev/nvme0n1 | grep "Slot"
➜  ~ 

When I try to open the disk with the KDE partition manager, the password works :

Screenshot_20240321_1838011256×646 66.1 KB

You probably don’t have a keyfile generated.

/crypto_keyfile.bin would be a file. If ls /crypto_keyfile.bin returns no such file or directory you need to create the keyfile first.

You’re totally right

But I handle the first disk (encrypted too) via the eos installer, and when I boot, everything works for this disk.
So I don’t understand why the /crypto_keyfile.bin doesn’t exist. Plus, the path for the keyfile in /etc/crypttab is the same

So normally this keyfile should exist, no ?

If you use systemd-boot, it isn’t needed so it isn’t created.

Ok, and I need a keyfile because the second drive is loaded after systemd-boot, is that right ?

Sorry for all the question but I want to understand fully what I have to do and who it works ^^

So for creating a key, I need to do : sudo dd if=/dev/urandom of=/container-key bs=512 count=8 then I need to rerun sudo cryptsetup luksAddKey /dev/nvme0n1 /container-key ?

Ok, I have reset my pc with a fresh EOS install after some mistake (I put the result of lsblk and co. at the end of the post).

So far I have trying to follow the arch wiki :

• https://wiki.archlinux.org/title/Dm-crypt/Encrypting_a_non-root_file_system
• https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Mounting_at_boot_time
• https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Creating_a_keyfile_with_random_characters

I have done the following :

• via the kde partition manager GUI
  • delete the old partition
  • created a new one ext4 non luks
• via the cmd
  • sudo cryptsetup luksFormat /dev/nvme1n1p1
  • delete all the disk = YES
  • then I have entered the password
• then I try to open it
  • cryptsetup open /dev/nvme1n1p1 samus > ok
• next I created my filesytem
  • sudo mkfs.ext4 /dev/mapper/samus
• then I try to mount it manually
  • sudo mount /dev/mapper/samus /home/a2n/samus > ok
  • sudo umount /home/a2n/samus > ok
  • sudo cryptsetup close samus > ok
• finally I try to unlock & mount the drive at boot time
  • with lsblk -f I get my UUID
  • I add in /etc/crypttab this line samus UUID=1234 none timeout=180, here I understand that the none is for forcing a password prompt to appear and the timeout is for the prompt itself (and not for systemd)
  • I add in /etc/fstab this line /dev/mapper/samus /home/a2n/samus ext4 defaults 0 0
• Then I reboot

The result so far is : at boot I’m ask with the two password prompt for my main disk (nvme0n1) but no prompt at all for the second drive (nvme1n1), and if I open the mount point I have the right drive mounted but in root access only.

What can I do (or have done wrong) to get my disk mounted in non root access. And why the password is not prompt ?

The password is the same across the two disk, but normally it’s only pass if the timeout option is set to none no (**) ?

** If I understand correctly the tips in the wiki : “If a device in crypttab uses a previously entered password, the third parameter can be set to none and the cached password will be automatically used.”

[a2n@tux-inf ~]$ lsblk -f
NAME                                    FSTYPE      FSVER LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme1n1                                                                                                                   
└─nvme1n1p1                             crypto_LUKS 2                 06b8d2f9-0e10-468b-940e-473c603986f1                
  └─samus                               ext4        1.0               41085c09-5fde-4d14-a6b7-8f90f0d4831b  434,1G     0% /home/a2n/samus
nvme0n1                                                                                                                   
├─nvme0n1p1                             vfat        FAT32             115E-5519                             913,8M     8% /efi
├─nvme0n1p2                             crypto_LUKS 2                 80ab0c9b-6bc1-47eb-a801-743c15c99d45                
│ └─luks-80ab0c9b-6bc1-47eb-a801-743c15c99d45
│                                       ext4        1.0   endeavouros 82b40ecd-49b2-47da-8751-87a6337fd339  409,5G     2% /
└─nvme0n1p3                             crypto_LUKS 2                 aacb3bbf-3e79-4817-b896-9014e541be2a                
  └─luks-aacb3bbf-3e79-4817-b896-9014e541be2a
                                        swap        1     swap        91640090-214d-424e-a87f-1bb1ade505a6                [SWAP]
[a2n@tux-inf ~]$ sudo cat /etc/crypttab | grep -v "#"
luks-80ab0c9b-6bc1-47eb-a801-743c15c99d45 UUID=80ab0c9b-6bc1-47eb-a801-743c15c99d45     /crypto_keyfile.bin luks
luks-aacb3bbf-3e79-4817-b896-9014e541be2a UUID=aacb3bbf-3e79-4817-b896-9014e541be2a     /crypto_keyfile.bin luks
samus                                     UUID=06b8d2f9-0e10-468b-940e-473c603986f1     none timeout=180

[a2n@tux-inf ~]$ sudo cat /etc/fstab | grep -v "#"
UUID=115E-5519                                          /efi              vfat    fmask=0137,dmask=0027   0 2 
/dev/mapper/luks-80ab0c9b-6bc1-47eb-a801-743c15c99d45   /                 ext4    noatime                 0 1 
/dev/mapper/luks-aacb3bbf-3e79-4817-b896-9014e541be2a   swap              swap    defaults                0 0 
tmpfs                                                   /tmp              tmpfs   noatime,mode=1777       0 0 
/dev/mapper/samus               /home/a2n/samus   ext4    defaults                0 0
[a2n@tux-inf ~]$ sudo blkid
/dev/mapper/luks-aacb3bbf-3e79-4817-b896-9014e541be2a: LABEL="swap" UUID="91640090-214d-424e-a87f-1bb1ade505a6" TYPE="swap"
/dev/nvme0n1p3: UUID="aacb3bbf-3e79-4817-b896-9014e541be2a" TYPE="crypto_LUKS" PARTUUID="76cb9908-b663-4b38-9ef6-b6d01a7e471e"
/dev/nvme0n1p1: UUID="115E-5519" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="52452db1-c1b3-41e6-b186-ddb7509734b6"
/dev/nvme0n1p2: UUID="80ab0c9b-6bc1-47eb-a801-743c15c99d45" TYPE="crypto_LUKS" PARTLABEL="endeavouros" PARTUUID="253666ec-3eaf-440c-b74b-417f0896a09a"
/dev/mapper/samus: UUID="41085c09-5fde-4d14-a6b7-8f90f0d4831b" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/luks-80ab0c9b-6bc1-47eb-a801-743c15c99d45: LABEL="endeavouros" UUID="82b40ecd-49b2-47da-8751-87a6337fd339" BLOCK_SIZE="4096" TYPE="ext4"
/dev/nvme1n1p1: UUID="06b8d2f9-0e10-468b-940e-473c603986f1" TYPE="crypto_LUKS" PARTUUID="f9bafcf0-996a-4ad9-8a7b-7a52540940e4"