I just encountered the problem that I have to type two passwords at startup, for two encrypted disks. My first disk is encrypted through the Ubuntu installer. After some searching I found the perfect solution for that task. In German its called "Schlüsselableitung", in English derived keys. But perfect solutions often have a big issue why they don’t work, like here. I’m using Ubuntu 16.04 which uses ´systemd´, and that has problems with derived keys. So I found the second most perfect solution for me, using a key-file. Some people argue that this is a security issue, but the derived key is also obtainable with root rights, just like a key-file. And by the way, your private keys of your certificates are also stored on that disks and nearly nobody complains about that.
I assume the following setup:
- You are using LUKS
- Your whole system is encrypted with the option you can select at installing Ubuntu (or similar, but home directory encryption does not count here). Otherwise your key-file is accessible by anyone with physical access to your computer.
- You have a second disk that is already encrypted (
sda1in my case)
- You will bother with the actual mounting yourself
So let’s do it. First we create a key-file with 4069 Bit, which should be enough.
sudo mkdir /root/keyfiles sudo dd if=/dev/urandom of=/root/keyfiles/data_lux bs=1024 count=4
Next we should forbid any access for any user except root. Otherwise the bad guys can steal the key-file and encrypt your sensible data.
sudo chmod -R 0400 /root/keyfiles/
Now we add the key-file to the second disk, ironically it’s
sda1 in my case.
In order to do that, you have to type in one password that is capable to decrypt the drive.
sudo cryptsetup luksAddKey /dev/sda1 /root/keyfiles/data_lux
The only thing that is missing right now, is the automatic part.
If you would reboot yet, you would see no difference.
For the automatization we need the
UUID of the drive.
The difference between those both is, that the
PARTUUID stays the same, even if you format the drive.
If you don’t see a
PARTUUID you are not using
GPT as partition table, but you can use the
blkid /dev/sda1 #Output: /dev/sda1: UUID="3260f97b-ddcf-42f3-95c2-383260736da1" TYPE="crypto_LUKS" PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4"
Now the only thing that’s left to a (multiple) password entering free world is to add the magic line to
I use the
PARTUUID but you can replace it with the
UUID if you want (or need).
data_lux PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4" /root/keyfiles/data_lux luks
After a reboot you will be prompted for one password and your second encrypted disk should be listed in
Of course, you can change that name.
If you want to, just replace any
data_lux in this tutorial with your favorite name.
From here I use the automatic mount options of KDE to mount the disk at startup.