You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2019-08-06 17:45:52
- natervance
- Member
- Registered: 2017-04-20
- Posts: 53
[Solved] Multiple encrypted disks
Hi all,
I have a laptop with both a SSD and a HD. I would like to put root on the SSD, and /home on the HD. I would also like to encrypt the whole deal (except for /boot). In the past when dealing with a single disk, I used LVM on LUKS. When moving to two disks I would like to have the following benefits:
* Only type the passphrase once when booting
* If one drive fails, the data on the other is recoverable (e.g., with my single passphrase).
There is a blogpost here which details a setup where root (on the SSD) is unlocked via a passphrase, and then a keyfile stored on root is used to automatically decrypt and mount the partitions on the HD. The downside for this setup is that I will lose the data on the HD when the SSD fails. And if I back up the keyfile, then that needlessly weakens security.
Another option is to do LVM on LUKS for both disks. The ideal setup (in my use case) would be to use the same passphrase for both disks, and somehow configure cryptsetup to open both disks when I type it on boot. I don't see any reason why this wouldn't be technically possible, but I also don't see a way to achieve this in a standard way (i.e., without hacking a boot script together that reads in the passphrase and echoes it into two cryptsetup invocations).
Any help is much appreciated!
Last edited by natervance (2019-08-06 18:26:46)
Offline
#2 2019-08-06 18:01:26
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved] Multiple encrypted disks
And if I back up the keyfile, then that needlessly weakens security.
"needlessly" is a mischaracterisation. Everything vis-a-vis security is a tradeoff, not an absolute. Backing up a keyfile is, in my view, well worth the attendant risk.
Offline
#3 2019-08-06 18:08:41
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,324
Re: [Solved] Multiple encrypted disks
systemd will store passwords used for cryptsetup in the keyring and reuse them when opening other encrypted device.
If you use the sd-encrypt hook and have / unlocked in the initrd then the key will be in the keyring to unlock /home later.
Online
#4 2019-08-06 18:19:38
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,417
Re: [Solved] Multiple encrypted disks
I have never tested it with archlinux/mkinitcpio, but caching passphrase and re-using is a feature of systemd so using systemd sd-encrypt hooks might just make it work w/o doing anything else.
The downside for this setup is that I will lose the data on the HD when the SSD fails.
LUKS supports multiple passphrases/keyfiles for a reason. Even if you prefer keyfiles, it's good to have a backup passphrase for emergencies. (Or you could put the literal passphrase in the keyfile - just make sure there is no newline at the end).
You're not supposed to lose anything, unless... destroying some physical key and losing access to data is a feature you're going for...
Offline
#5 2019-08-06 18:25:48
- natervance
- Member
- Registered: 2017-04-20
- Posts: 53
Re: [Solved] Multiple encrypted disks
Thank you loqs and frostchutz for the tips; I was unaware of those features. I'll try the sd-encrypt hook, and fall back to LUKS with both a keyfile and my backup passphrase if that doesn't work.
Offline
Pages: 1