Ubuntu: automatic password for second encrypted disk
I just encountered the problem that I have to type two passwords at startup, for two encrypted disks. My first disk is encrypted through the Ubuntu installer. After some searching I found the perfect solution for that task. In german, it’s called “Schlüsselableitung”, in English derived keys. But perfect solutions often have a big issue why they don’t work, like here. I’m using Ubuntu 16.04 which uses ´systemd´, and that has problems with derived keys. So I found the second most perfect solution for me, using a key-file. Some people argue that this is a security issue, but the derived key is also obtainable with root rights, just like a key-file. And by the way, your private keys of your certificates are also stored on that disks and nearly nobody complains about that.
I assume the following setup:
- You are using LUKS
- Your whole system is encrypted with the option you can select at installing Ubuntu (or similar, but home directory encryption does not count here). Otherwise your key-file is accessible by anyone with physical access to your computer.
- You have a second disk that is already encrypted (
sda1
in my case) - You will bother with the actual mounting yourself
So let’s do it. First we create a key-file with 4069 Bit, which should be enough.
sudo mkdir /root/keyfiles
sudo dd if=/dev/urandom of=/root/keyfiles/data_lux bs=1024 count=4
Next we should forbid any access for any user except root. Otherwise the bad guys can steal the key-file and encrypt your sensible data.
sudo chmod -R 0400 /root/keyfiles/
Now we add the key-file to the second disk, ironically it’s sda1
in my
case. In order to do that, you have to type in one password that is
capable to decrypt the drive.
sudo cryptsetup luksAddKey /dev/sda1 /root/keyfiles/data_lux
The only thing that is missing right now, is the automatic part. If you
would reboot yet, you would see no difference. For the automatization we
need the PARTUUID
or UUID
of the drive. The difference between those
both is, that the PARTUUID
stays the same, even if you format the
drive. If you don’t see a PARTUUID
you are not using GPT
as
partition table, but you can use the UUID
instead.
blkid /dev/sda1
#Output: /dev/sda1: UUID="3260f97b-ddcf-42f3-95c2-383260736da1" TYPE="crypto_LUKS" PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4"
Now the only thing that’s left to a (multiple) password entering free
world is to add the magic line to /etc/crypttab
. I use the PARTUUID
but you can replace it with the UUID
if you want (or need).
data_lux PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4" /root/keyfiles/data_lux luks
After a reboot you will be prompted for one password and your second
encrypted disk should be listed in /dev/mapper/
as data_lux
. Of
course, you can change that name. If you want to, just replace any
data_lux
in this tutorial with your favorite name. From here I use the
automatic mount options of KDE to mount the disk at startup.
My Sources: