New user, disk encryption(second drive) question

Hi all,

After a monumental foul-up late last night, I’m switching across from Windows 10, not a newbie to Linux but new to Arch/Endeavouros and liking it very much so far.

I have 2 disks - used the encrypted install via LUKS through the installer to put the main OS on the SSD. I’d like to add my second HDD to the same - I’m not sure of the correct terminology here - LUKS group, so it’ll decrypt alongside my primary drive when I unlock the system at boot. I’ve done this for years with Windows and Bitlocker, but am struggling to get things right within Linux.

Thanks for any help!

Welcome to the community …

A couple of questions to clear up some things:

  1. Is your second device already encrypted?
  2. You probably want/need the device to automatically decrypt on boot without having to enter a second password?

Anyway, we’ll need some information: for starters please post the terminal output of the following commands …

sudo cat /etc/crypttab | grep -v "#"
sudo cat /etc/fstab | grep -v "#"
sudo blkid
lsblk
sudo cryptsetup luksDump <yourLuksDevice(s)> | grep "Slot"
with “<yourLuksDevice>” being something like /dev/sdb1

Empty drive.

That’s the hope. :slight_smile:

$ sudo cat /etc/crypttab | grep -v "#"
luks-cfb5a326-71fd-4a60-b2e5-50842a03d2b3 UUID=cfb5a326-71fd-4a60-b2e5-50842a03d2b3     /crypto_keyfile.bin luks
luks-f5e9d483-8ab4-4605-ac2e-a5d13c19067d UUID=f5e9d483-8ab4-4605-ac2e-a5d13c19067d     /crypto_keyfile.bin luks
$ sudo cat /etc/fstab | grep -v "#"
UUID=0CBD-B1E1                            /boot/efi      vfat    umask=0077 0 2
/dev/mapper/luks-cfb5a326-71fd-4a60-b2e5-50842a03d2b3 /              ext4    defaults,noatime 0 1
/dev/mapper/luks-f5e9d483-8ab4-4605-ac2e-a5d13c19067d swap           swap    defaults,noatime 0 2
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0
$ sudo blkid
/dev/sda1: UUID="0CBD-B1E1" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="518bb05f-93fd-554c-ba71-f7a38627ecbe"
/dev/sda2: UUID="cfb5a326-71fd-4a60-b2e5-50842a03d2b3" TYPE="crypto_LUKS" PARTUUID="5c8d2a1f-7a4c-df43-ae1f-094ca9bbdec3"
/dev/sda3: UUID="f5e9d483-8ab4-4605-ac2e-a5d13c19067d" TYPE="crypto_LUKS" PARTUUID="b8c8ddba-4960-b540-9db7-e231befc1853"
/dev/sdb: PTUUID="fc176ba7-b6a6-49ed-8964-1bef5e49bcff" PTTYPE="gpt"
/dev/mapper/luks-cfb5a326-71fd-4a60-b2e5-50842a03d2b3: UUID="d30a8dc8-3bd2-406b-b294-f39181dca1c2" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/luks-f5e9d483-8ab4-4605-ac2e-a5d13c19067d: UUID="02617d3d-ccd8-45f8-a5e5-8173e65573f1" TYPE="swap"
$ lsblk
NAME                                   MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                      8:0    0 476.9G  0 disk  
├─sda1                                   8:1    0   300M  0 part  /boot/efi
├─sda2                                   8:2    0 467.8G  0 part  
│ └─luks-cfb5a326-71fd-4a60-b2e5-50842a03d2b3
│                                      254:0    0 467.8G  0 crypt /
└─sda3                                   8:3    0   8.8G  0 part  
  └─luks-f5e9d483-8ab4-4605-ac2e-a5d13c19067d
                                       254:1    0   8.8G  0 crypt [SWAP]
sdb                                      8:16   0 931.5G  0 disk

$ sudo cryptsetup luksDump /dev/sdb1 | grep "Slot"
Device /dev/sdb1 does not exist or access denied.

There are no partitions on the second drive at the moment - I dropped the table after failing to make a configuration that worked properly. I’m running with KDE so have been using the partition editor included with it.

Thanks for your time!

OK, you’ll first have to set up encryption on the second device.

  1. Create a (unformatted) partition on sdb; probably easist with gparted or your KDE partition editor.
  2. To encrypt this new partition with default encryption options (e.g. cipher, key length), run
    sudo cryptsetup -y -v luksFormat /dev/sdb1
  3. Map the device (temporarily) & format as ext4 (just as your root device)
    sudo cryptsetup open /dev/sdb1 crypttemp
    sudo mkfs.ext4 /dev/mapper/crypttemp

Check if the mapping works as intended:

  1. Temporarily mount to /mnt
    sudo mount /dev/mapper/crypttemp /mnt
    Try to access the mountpoint with your file manager!

  2. Unmount and unmap
    sudo umount /mnt
    sudo cryptsetup close crypttemp


Next steps will follow once you’ve set up the above.

  1. Add keyfile to the luks device
  2. Create mountpoint
  3. Add device to crypttab
  4. Add device to fstab
  • Where do you want to regularly mount the device (mountpoint, e. g. /mnt/cryptdata or similar)?
1 Like

I’ve done everything up to this point:

It appears to have worked perfectly, aside from I’m only able to create/edit files under the root account(but I was root when mounting the device, which I guess answers that query).

For a mount point - I’m easy. I guess /mnt/data, /media/data, or just /data would make sense to me. It’ll mainly be for storing things outside of the traditional home directory.

Thanks again!

  1. We’ll now add a keyfile for automatically chain-unlocking during boot. We’ll just reuse your existing keyfile.
    sudo cryptsetup luksAddKey /dev/sdb1 /crypto_keyfile.bin

  2. Create your mountpoint
    sudo mkdir -p /mnt/cryptdata

  3. Take not of the UUID
    sudo cryptsetup luksUUID /dev/sdb1

  4. Add device to crypttab
    sudo nano /etc/crypttab
    Add the following line …
    cryptdata UUID=<uuid-from-step3> /crypto_keyfile.bin luks

  5. Add device and mountpoint to fstab
    sudo nano /etc/fstab
    Add the following line …
    /dev/mapper/cryptdata /mnt/cryptdata ext4 defaults,noatime 0 2
    Instead of /dev/mapper/… you could also use the uuid here.


That should be all. The second encrypted device should be automatically unlocked once your root device is unlocked by password.

3 Likes

Awesome. Thanks very much for your help, most appreciated! For whatever reason I just couldn’t get my head around this - makes a lot more sense now. Thanks again. :slight_smile:

(Sadly I can’t flag both the important replies as the solution. Sorry!)

1 Like