I recently bought a new computer on which there are 2 SSD. I wanted to have my /home on my secondary disk.
When I installed EndeavourOS, I’m not sure if I didn’t pay enough attention or if it was just not suggested but I completely forgot about my second disk.
So I formatted it after installation with mkfs.ext4. Then I encrypted it with LUKS. When I try to mount it/unmount it, it works. So everything is fine, until this step.
Now I want it to be unencrypted at boot time, so like with my first SSD, I want to be prompted to unencrypt it.
When I reboot, there is something about a job running with my luks-home but it eventually gets killed and I get prompted an emergency console in which I comment the line I added in my fstab and crypttab to be able to boot again.
I noticed I don’t have mkinitcpio, I have dracut.
And if that matters, I don’t use grub, I use systemd-boot.
I am a very beginner. I am not sure I can follow along everything. For example, I think I got what fstab and crypttab are but I don’t understand what dracut is. Also grub/systemd-boot is something I never was able to understand. Hopefully, this episode might help me to understand the basics of how my computer boot.
It is possible to have the second disk automatically unencrypted on boot. This is done by storing the key for the 2nd drive, on the 1st and referencing that key from /etc/crypttab.
If you’re interested in this method, let me know and I’ll share further details on how I’ve achieved it.
I hadn’t ! I tried dracut --force tho but it didn’t change anything.
Just tried to run sudo reinstall-kernels. The command went well but after rebooting it didn’t go well.
I was asked to unencrypt my first SSD as habits. Never have I seen a request to unlock my second SSD. The UUID wasn’t the one of my second SSD.
Also I went into an emergency mode and there was no fstab. I had /etc/fstab.empty. My /etc/crypttab didn’t look the same so I kind of panicked but remained calm.
I rebooted my computer. And I managed to see the same thing I used to see : a job trying to do whatever with my second SSD (I can’t remember the exact message everytime. But in my memory it is something about loading it).
Of course, it failed and got into emergency mode and could remove the lines in fstab and crypttab.
Then I rebooted, I was asked for my password to open my computer and log in to my session but Plasma would not load. I panicked again and just rebooted it, jumped into a terminal instead of logging in and rerun sudo reinstall-kernels and here I am back, talking to you.
My feeling is that the first emergency with the fstab.empty may have happened because I mistyped my password ? I don’t know. But since it was reproductible, I think it is not a big deal. And the second feeling is that the command did not work so maybe I have to run this command but something is missing ?
It is interesting indeed! I can also try this solution. Either typing it or having it stored and unencrypted on boot automatically is a good solution to be because in both case, I’ll learn something new!
Ok, so this method will generate a new key for decrypting your 2nd LUKS volume, that will be stored on your encrypted root volume.
LUKS supports multiple keys per encrypted volume (LUKS = 8 keys, LUKS2 = 32 keys). I expect you’ve already set one of those keys with your existing passphrase to unlock it. That one will remain and will be essential in recovery situations. The key that will be stored on your root volume and used to automatically unlock your 2nd LUKS volume, will be an additional key.
You need to confirm what device you’re working with, and it’s respective UUID. Run this, find your second volume (eg: nvme1n1), and make note of the details. I will be using nvme1n1 in all examples, but make sure you change them to the name of your 2nd LUKS volume.
lsblk -f
Eg:
NAME FSTYPE UUID
nvme1n1 crypto_LUKS 2 ee12fda5-7e9d-4dc5-bed9-c19b261b39ac
Randomly generate a random key, and save it to /root/lukskey:
Confirm that key has been added. You should have at least 2 keyslots defined when you run this command. First is your existing passphrase, the second is the new key just added:
cryptsetup luksDump /dev/nvme1n1
Define your volume and its passkey in /etc/crypttab.
It didn’t work with the key, so I figured out I had to take a step back and first make it prompt for a password at boot.
I realized it was a depency issue, which was written in the logs I could see with journalctl -xb after logging as root in emergency mode.
So for anyone reading this having a dependency issue with LUKS encryption at boot, you may have used the wrong UUID in your /etc/crypttab. The UUID you are looking for can be found with sudo blkid.
It is also present with the command lsblk -o NAME,UUID,TYPE,MOUNTPOINTS but you gotta look at the correct UUID (that is what I failed doing).
Thanks everyone who helped!
Edit: there was no need to run sudo reinstall-kernels or any other command.
