Reputation: 319
Auto decrypt multiple LUKS Devices with Mandos
I played around with Mandos to automatically open an encrypted root device. I wanted to setup an encrypted btrfs raid 1 (sda1 and sdb1: LUKS). The first device is decrypted correctlly, but the second will noch be opened. Is there a way to do this?
Upvotes: 0
Views: 1607
Answers (3)
Reputation: 1848
As of Debian Stretch, it just works (tm). Both devices should be listed in /etc/crypttab and the btrfs raid1 should be setup. Then install mandos. Confirmed working on Debian Stretch 9.5.
Upvotes: 1
Reputation: 6163
I would suggest that you on the root file system (I would suggest in /etc/keys) have a file containing the password to any other disks, and enter that file name in the third field in /etc/crypttab.
Upvotes: 1
Reputation: 319
The solution is relative simple:
Instead of adding your disks to /etc/crypttab, add them directly to /etc/initramfs-tools/conf.d/cryptroot and don't forget the keyscript part (keyscript=/lib/mandos/plugin-runner).
/etc/initramfs-tools/conf.d/cryptroot:
target=sda2_crypt,source=UUID=0f47884b-fb02-478e-b4dd-c594cf1cbbf1,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner
target=sdb2_crypt,source=UUID=65f16e28-5b74-4b1f-9f81-01729244ac2c,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner
To be sure the complete cryptsetup stack is compiled correctly into the initramfs, add a dummy device to /etc/crypttab. Take care to add noauto, otherwise it will try to unlock the device on startup and will fail.
/etc/crypttab:
dummy_device UUID=087963da-63bb-439b-bb5a-15e712d02a29 none noauto,luks,discard
Upvotes: 0
Related Questions
- Find who is holding cryptsetup/LUKS encrypted home (some KDE/X vs common sense madness)
- btrfs: how to drain one disk in 'single' profile
- How to programatically find the start and end bytes of LUKS header?
- Kernel update causes keyboard layout change and unable to decrypt luks encryption
- Better way to encrypt & decrypt audio inBlackBerry?
- Red Hat linux - "turn off" encryption checking