You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2014-11-09 03:54:07
- brianbaligad
- Member
- Registered: 2013-08-12
- Posts: 22
[SOLVED] btrfs balanced encrypted root
I like the mirroring provided by btrfs balance. I also like using encrypted root partitions. Today I thought it'd be a great idea to combine the two, and have an encrypted and balanced root partition. Except it looks like mkinitcpio will only decrypt one device before trying to mount the root partition. Is there any workaround for this? I did try using a comma to pass two values to cryptdevice, but that does not appear to valid with the current version.
Right now I have two drives with two partitions. One on each is for boot, and the second is a luks encrypted volume. After decrypting one of the volumes on boot, it fails to load the root partition because one of the btrfs members is still missing (the second encrypted volume).
Last edited by brianbaligad (2014-11-09 18:36:23)
Offline
#2 2014-11-09 13:16:21
- EscapedNull
- Member
- Registered: 2013-12-04
- Posts: 129
Re: [SOLVED] btrfs balanced encrypted root
Usually this is accomplished with LUKS on LVM (https://wiki.archlinux.org/index.php/Dm … iple_disks). There was also a patch of the mkinitcpio hook "crypt" that allowed for a comma separated list of cryptdevices, but I can't find it at the moment, and it won't really be relevant until it goes upstream.
Offline
#3 2014-11-09 14:45:44
- ANOKNUSA
- Member
- Registered: 2010-10-22
- Posts: 2,141
Re: [SOLVED] btrfs balanced encrypted root
You want mkinitcpio-encrypt-multi from the AUR. It will let you declare multiple "cryptedevice=" entries in your bootloader's kernel parameters, then check for every encrypted volume you explicitly declare.
You'll be prompted for passphrases for each encrypted volume unless you use a keyfile. I'd recommend using a static, non-descript file, located on the unencrypted /boot partition, as a keyfile for every volume after the first so you only need to enter one passphrase. Some examples:
- If you boot via UEFI and use gummiboot, a dummy boot menu entry could work.
- If you boot via rEFInd, one of the OS logo images would probably be a good choice. I don't use rEFInd myself, though, so I don't know how often those images might change.
- I used to use the background image from my Syslinux menu as a keyfile, since it never changed. The same would work for GRUB.
Always make sure you have a viable backup before mucking around with LUKS keys. 
Last edited by ANOKNUSA (2014-11-09 14:47:45)
Offline
Pages: 1