2

In my Linux laptop I've two disks: One larger conventional HDD and a smaller but fast SSD.
On the SSD I've got a small unencrypted /boot-Partition containing kernels, initrd images, and GRUB. All remaining stuff (including the Linux /, swap, /home, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab. Everything works just fine.

But during booting, I've to enter two passphrases to activate both LUKS container.

Since I've used the same passphrase for both disks I'm now looking for a clever and secure way which allows me to start both disks by entering the passphrase only once during boot. Any ideas?

I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file. But I fear this key file might leak somehow (possibly it might show up in the initrd images on unencrypted /boot/ partition?).

Improve this question
4
  • 1
    I don't suppose any initramfs generation utility (mkinitcpio, dracut...) would include /etc/crypttab to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC).
    – Tom Yan
    Commented Mar 23, 2016 at 18:49
  • That said, I would not be at all certain that crypttab would reread at precisely the correct point in the mounting process, and, of-course, if that file is compromised while the system is online, it can be used to recover the data later. (I don't have a solution to the OP question though - indeed its something I battled with as well)
    – davidgo
    Commented Mar 23, 2016 at 19:18
  • Today I found out that Michael Gebetsroither <[email protected]> has written a script for caching the passphrase. This script can be found here: github.com/gebi/keyctl_keyscript Unfortunately I was yet unable to get this to work on my Kubuntu 14.04 LTS laptop. May be I will spend some more time fiddling with it later.
    – pefu
    Commented Mar 25, 2016 at 16:33
  • Additional update information: When I asked this question over 4 years ago, I was running Ubuntu Linux 14.04 LTS as I described in my previous comment. February 2020 I installed Qubes OS on a new SSD and used the same LUKS passphrase as I already had on the other HDD. After editing the /etc/crypttab file and adding the additional HDD it worked out of the box: qubes OS asks only once for the passphrase during boot.
    – pefu
    Commented May 2, 2020 at 15:17

2 Answers 2

Reset to default
1

That's not exactly the info you are looking for but if you store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab file this info might help: I just checked and the key isn't present on the initrd file. AFAIK, it's only securely stored in the encrypted root filesystem so this option might be a secure one after all.

Improve this answer
1

For reference this guide worked for me like a charm: https://davidyat.es/2015/04/03/encrypting-a-second-hard-drive-on-ubuntu-14-10-post-install/

I just followed the steps and it works :)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .