In my Linux laptop I've two disks:
One larger conventional HDD and a smaller but fast SSD.
On the SSD I've got a small unencrypted /boot
-Partition containing kernels, initrd images, and GRUB. All remaining stuff (including the Linux /
, swap
, /home
, ...) is in two LUKS encrypted pseudo devices. These are started at boot time using entries in /etc/crypttab
. Everything works just fine.
But during booting, I've to enter two passphrases to activate both LUKS container.
Since I've used the same passphrase for both disks I'm now looking for a clever and secure way which allows me to start both disks by entering the passphrase only once during boot. Any ideas?
I already know that I could store the passphrase for the second disk in a keyfile on the already encrypted root filesystem on the SSD and refer to it in the /etc/crypttab
file. But I fear this key file might leak somehow (possibly
it might show up in the initrd images on unencrypted /boot/
partition?).
/etc/crypttab
to the initramfs, unless the user for some reason explicitly configure it to do so (but then that's a PEBKAC)./etc/crypttab
file and adding the additional HDD it worked out of the box: qubes OS asks only once for the passphrase during boot.