After a monumental foul-up late last night, I’m switching across from Windows 10, not a newbie to Linux but new to Arch/Endeavouros and liking it very much so far.
I have 2 disks - used the encrypted install via LUKS through the installer to put the main OS on the SSD. I’d like to add my second HDD to the same - I’m not sure of the correct terminology here - LUKS group, so it’ll decrypt alongside my primary drive when I unlock the system at boot. I’ve done this for years with Windows and Bitlocker, but am struggling to get things right within Linux.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 476.9G 0 disk
├─sda1 8:1 0 300M 0 part /boot/efi
├─sda2 8:2 0 467.8G 0 part
│ └─luks-cfb5a326-71fd-4a60-b2e5-50842a03d2b3
│ 254:0 0 467.8G 0 crypt /
└─sda3 8:3 0 8.8G 0 part
└─luks-f5e9d483-8ab4-4605-ac2e-a5d13c19067d
254:1 0 8.8G 0 crypt [SWAP]
sdb 8:16 0 931.5G 0 disk
$ sudo cryptsetup luksDump /dev/sdb1 | grep "Slot"
Device /dev/sdb1 does not exist or access denied.
There are no partitions on the second drive at the moment - I dropped the table after failing to make a configuration that worked properly. I’m running with KDE so have been using the partition editor included with it.
It appears to have worked perfectly, aside from I’m only able to create/edit files under the root account(but I was root when mounting the device, which I guess answers that query).
For a mount point - I’m easy. I guess /mnt/data, /media/data, or just /data would make sense to me. It’ll mainly be for storing things outside of the traditional home directory.
We’ll now add a keyfile for automatically chain-unlocking during boot. We’ll just reuse your existing keyfile. sudo cryptsetup luksAddKey /dev/sdb1 /crypto_keyfile.bin
Create your mountpoint sudo mkdir -p /mnt/cryptdata
Take not of the UUID sudo cryptsetup luksUUID /dev/sdb1
Add device to crypttab sudo nano /etc/crypttab
Add the following line … cryptdata UUID=<uuid-from-step3> /crypto_keyfile.bin luks
Add device and mountpoint to fstab sudo nano /etc/fstab
Add the following line … /dev/mapper/cryptdata /mnt/cryptdata ext4 defaults,noatime 0 2
Instead of /dev/mapper/… you could also use the uuid here.
That should be all. The second encrypted device should be automatically unlocked once your root device is unlocked by password.
Awesome. Thanks very much for your help, most appreciated! For whatever reason I just couldn’t get my head around this - makes a lot more sense now. Thanks again.
(Sadly I can’t flag both the important replies as the solution. Sorry!)