Software developer stories
en de

Ubuntu: automatic password for second encrypted disk

I just encountered the problem that I have to type two passwords at startup, for two encrypted disks. My first disk is encrypted through the Ubuntu installer. After some searching I found the perfect solution for that task. In german, it’s called “Schlüsselableitung”, in English derived keys. But perfect solutions often have a big issue why they don’t work, like here. I’m using Ubuntu 16.04 which uses ´systemd´, and that has problems with derived keys. So I found the second most perfect solution for me, using a key-file. Some people argue that this is a security issue, but the derived key is also obtainable with root rights, just like a key-file. And by the way, your private keys of your certificates are also stored on that disks and nearly nobody complains about that.

I assume the following setup:

  • You are using LUKS
  • Your whole system is encrypted with the option you can select at installing Ubuntu (or similar, but home directory encryption does not count here). Otherwise your key-file is accessible by anyone with physical access to your computer.
  • You have a second disk that is already encrypted (sda1 in my case)
  • You will bother with the actual mounting yourself

So let’s do it. First we create a key-file with 4069 Bit, which should be enough.

sudo mkdir /root/keyfiles
sudo dd if=/dev/urandom of=/root/keyfiles/data_lux bs=1024 count=4

Next we should forbid any access for any user except root. Otherwise the bad guys can steal the key-file and encrypt your sensible data.

sudo chmod -R 0400 /root/keyfiles/

Now we add the key-file to the second disk, ironically it’s sda1 in my case. In order to do that, you have to type in one password that is capable to decrypt the drive.

sudo cryptsetup luksAddKey /dev/sda1 /root/keyfiles/data_lux

The only thing that is missing right now, is the automatic part. If you would reboot yet, you would see no difference. For the automatization we need the PARTUUID or UUID of the drive. The difference between those both is, that the PARTUUID stays the same, even if you format the drive. If you don’t see a PARTUUID you are not using GPT as partition table, but you can use the UUID instead.

blkid /dev/sda1
#Output: /dev/sda1: UUID="3260f97b-ddcf-42f3-95c2-383260736da1" TYPE="crypto_LUKS" PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4"

Now the only thing that’s left to a (multiple) password entering free world is to add the magic line to /etc/crypttab. I use the PARTUUID but you can replace it with the UUID if you want (or need).

data_lux PARTUUID="667c1593-99ac-413a-9f03-c4d1ee87c8c4" /root/keyfiles/data_lux luks

After a reboot you will be prompted for one password and your second encrypted disk should be listed in /dev/mapper/ as data_lux. Of course, you can change that name. If you want to, just replace any data_lux in this tutorial with your favorite name. From here I use the automatic mount options of KDE to mount the disk at startup.

My Sources: