8

here the configuration I have : - 2 hard drives, - first one is encrypted using LUKS and LVM. I'd like to add in the volume group encrypted a second hard drive. I have successfully installed it and encrypted it. But when I boot, I have to enter 2 passphrases to decrypt both hard drives.

Isn't there a way to use only one ?

AlBundy
  • 121
  • 4

4 Answers4

4

I finally find a trick to enter only one password and have all my physical disks encrypted.

I encrypt the first one with a passphrase, I encrypt the second one using a keyfile that I store on the first hard drive (/root/mykeyfile).

And with the corrects line in /etc/crypttab file, it does the trick.

Update /etc/crypttab

sda5_crypt UUID=fb07f1e8-a569-4db9-9fd7-fc1994e093b5 none luks

sdb1_crypt UUID=4c0687f0-d7af-4f2e-9c57-5ca8e909d492 /root/mykeyfile luks

AlBundy
  • 121
  • 4
  • **dd if=/dev/urandom of=/root/mykeyfile bs=1024 count=20** This is an example of how to create a random string to be used as a 'keyfile'. – earthmeLon May 22 '12 at 01:57
  • 1
    The problem with this is that a compromise involving access to your filesystem (e.g. permissions issue or something minor) would result in key compromise, a much bigger issue. I recommend strongly against this practice. See my answer for a better (and automatic) method. – sneak Jan 30 '14 at 04:52
  • Could you explain how this is supposed to work? Does LVM start in degraded mode and then fix itself once the second PV is available? – aij Jan 06 '15 at 23:17
0

On ubuntu, it's possible to use a derived key from the root as an additional key on other filesystems. This has the benefit of keeping your key for the other drives out of the filesystem itself.

Before doing this, first off, make sure /tmp is mounted on ram only! I suggest single-user mode for this change.

mount -t ramfs none /tmp

Then, you can export the derived key:

# replace vda5_crypt with the cryptsetup name of your root luks
# have a look in /dev/mapper or 'pvdisplay' to find it...
/lib/cryptsetup/scripts/decrypt_derived vda5_crypt > /tmp/key

And then add it to your other device(s):

# use your own disks here instead of sdb1 sdc1 sdd1 etc
cryptsetup luksAddKey /dev/sdb1 /tmp/key
cryptsetup luksAddKey /dev/sdc1 /tmp/key
cryptsetup luksAddKey /dev/sdd1 /tmp/key
rm /tmp/key

This will enable the ubuntu init scripts to use the derived key once the root is unlocked to unlock the rest of the block devices and make them available similarly under /dev/mapper. I'm not sure if they require /etc/crypttab entries - try them without first, and if they don't appear, put them into crypttab without a key and it should unlock them.

(I haven't tested any of this.)

sneak
  • 178
  • 7
  • I tried without crypttab on Debian, and it did not work. Even with crypttab it isn't working, but I've gotten closer. sdb3_crypt UUID=4a... sda3_crypt luks,initramfs,keyscript=decrypt_derived. The initramfs option is needed in order to get the decrypt_derived sccript included in the initramfs. But it's still failing to load at startup. – aij Jan 07 '15 at 02:51
-1

You can theoretically set a temporary environmental variable in a custom boot script which is then referenced by the initialization scripts for your decryption process. I actually did this a few years ago.

Your other option is to axe your existing init scripts for your hard drive and write a custom one which inputs your password once and then proceeds with the two decryption processes.

As an alternative you might be able to extend your LVM volume to the second drive. If I remember correctly the encryption should carry over.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • 1
    The LVM is built on top of the underlying encrypted volume. Expanding the LVM without creating another encrypted volume wouldn't encrypt the additional storage added to the volume group. – sneak Jan 30 '14 at 04:49
-2

No, there is no way to do that out-of-the box.

cstamas
  • 6,607
  • 24
  • 42