💾 Archived View for sylvaindurand.org › decrypt-several-drives-at-boot › index.gmi captured on 2022-04-29 at 11:22:38. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-04-28)
-=-=-=-=-=-=-
The previous articles showed how to use a fully encrypted system which could be remotely unlocked if necessary. In any case, a simple password is enough to decrypt the main disk and start the system:
Arch Linux with full encryption
Remotely unlock an encrypted system
In my case, however, several other hard disks are also encrypted, not necessarily with the same passwords: here we will see how to decrypt them all at once, with a single password.
To do this, I create a random key, which will be stored on my main (encrypted) disk:
head -c 64 /dev/urandom > /root/.data.key chmod 600 /root/.data.key
Assuming that the disk to be decrypted is `/dev/sda1`, I can then tell `cryptsetup` to add this file to it as the encryption key (the current password will be retained):
cryptsetup -v luksAddKey -i 1 /dev/sda1 /root/.data.key
In order for the disk to be decrypted at boot time, I edit `/etc/crypttab` to add :
# /etc/crypttab data UUID=$(blkid /dev/sda1 -o value -s UUID) /root/.data.key
And `/etc/fstab` :
# /etc/fstab /dev/mapper/data /media/data ext4 rw,noatime 0 2
At boot time, as soon as the system is decrypted and started, `/etc/fstab` and `/etc/crypttab` will then automatically mount the disk and decrypt it using the newly created file.