If you have a Linux machine with and SSD for one part of the filesystem, but need HDDs for the large storage capacity, encryption can become a pretty huge pain.
If you encrypt multiple filesystems across multiple disks, LVM is the proper choice, but you have a solid state disk you want to keep for it’s intended purpose: Booting your system quickly and making applications launch as fast as possible. If you keep all drives in LVM, some data will end up on physical volumes and slow your rig down.
So how do we boot our system without needing two or more LUKS passphrases on boot? How do we make it so one password rules them all?
/etc/crypttab is like
fstab for your encrypted filesystem
components, and it’s really easy to get the hang of. Just a
disclaimer: Using a single LUKS passphrase to unlock all drives is
technically less safe than using a different passphrase for each
drive, but it is way more convenient. That’s the ever-long battle:
Convenience vs Security.
If you have cryptsetup
installed, you should have
/etc/crypttab in place already, just with
everything commented out. The provided examples make this pretty easy
to figure out:
# <name> <device> <password> <options> # home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1 # data1 /dev/sda3 /etc/mypassword2 # data2 /dev/sda5 /etc/cryptfs.key # swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 # vol /dev/sdb7 none
From this file, we can see that the LUKS volume named
home has a
specific UUID and a keyfile located at
LUKS volume is encrypted randomly on each boot by
vol LUKS volume has
none in the password field, meaning it will
ask you for a password at mount time.
crypttab, we can use the combination of a single passphrase for
the root drive (your SSD), then keyfiles for the rest of the encrypted
/dev/urandomand make a 5MB base64-encoded keyfile. While it would be more secure to use
/dev/random, this will take a very very long time. Use it if you feel it is neccessary, but keep in mind, this is a single-passphrase boot, if your passphrase is poor, no amount of
/dev/randomwill save you.
dd if=/dev/urandom bs=1M count=5 | base64 > ~/.HDDkey
cryptsetup luksFormat -d ~/.HDDkey /dev/sde
cryptsetup luksOpen -d ~/.HDDkey /dev/sdd BigStorage
mkfs.ext4 -L BigStorage /dev/mapper/BigStorage
cryptsetup luksClose BigStorage
/etc/crypttabso it will automatically unlock
/etcfilesystem is available:
BigStorage UUID=c7792c2a-78fb-425a-8971-6df1c5d5b79c /home/samurailink3/.HDDkey
BigStorageis going to be the name of the LUKS device exposed in
/etc/fstabshould look like if you want to mount it somewhere specific, with user and exec access.
/dev/mapper/BigStorage /run/media/samurailink3/BigStorage ext4 user,exec 0 0
/run/media/samurailink3/BigStorage/. What I like to do is symlink out folders from my existing home directory to the larger drive for big files that don’t need fast access, like video files or music. Here’s an
ls -l ~for an example:
lrwxrwxrwx 1 samurailink3 samurailink3 44 May 24 09:33 SteamLibrary -> /run/media/samurailink3/BigData/SteamLibrary lrwxrwxrwx 1 samurailink3 samurailink3 35 May 24 09:33 tmp -> /run/media/samurailink3/BigData/tmp lrwxrwxrwx 1 samurailink3 samurailink3 38 May 24 09:33 Videos -> /run/media/samurailink3/BigData/Videos
Now you have all of your system drives encrypted, with one passphrase. Pretty convenient and way more secure than running with just one drive encrypted.