The previous articles showed how to use a fully encrypted Arch Linux system which could be remotely unlocked if necessary. In any case, a simple password is enough to decrypt the main disk and start the system:
In my case, however, several other hard disks are also encrypted, not necessarily with the same passwords: here we will see how to decrypt them all at once, with a single password.
To do this, I create a random key, which will be stored on my main (encrypted) disk:
head -c 64 /dev/urandom > /root/.data.key chmod 600 /root/.data.key
Assuming that the disk to be decrypted is
/dev/sda1, I can then tell
cryptsetup to add this file to it as the encryption key (the current password will be retained):
cryptsetup -v luksAddKey -i 1 /dev/sda1 /root/.data.key
In order for the disk to be decrypted at boot time, I edit
/etc/crypttab to add:
# /etc/crypttab data UUID=$(blkid /dev/sda1 -o value -s UUID) /root/.data.key
# /etc/fstab /dev/mapper/data /media/data ext4 rw,noatime 0 2
At boot time, as soon as the system is decrypted and started,
/etc/crypttab will then automatically mount the disk and decrypt it using the newly created file.