sylvain durand

Decrypt multiple drives at boot

The previous articles showed how to use a fully encrypted Arch Linux system which could be remotely unlocked if necessary. In any case, a simple password is enough to decrypt the main disk and start the system:

In my case, however, several other hard disks are also encrypted, not necessarily with the same passwords: here we will see how to decrypt them all at once, with a single password.

To do this, I create a random key, which will be stored on my main (encrypted) disk:

head -c 64 /dev/urandom > /root/.data.key
chmod 600 /root/.data.key

Assuming that the disk to be decrypted is /dev/sda1, I can then tell cryptsetup to add this file to it as the encryption key (the current password will be retained):

cryptsetup -v luksAddKey -i 1 /dev/sda1 /root/.data.key

In order for the disk to be decrypted at boot time, I edit /etc/crypttab to add:

# /etc/crypttab
data UUID=$(blkid /dev/sda1 -o value -s UUID) /root/.data.key

And /etc/fstab:

# /etc/fstab
/dev/mapper/data /media/data ext4 rw,noatime 0 2

At boot time, as soon as the system is decrypted and started, /etc/fstab and /etc/crypttab will then automatically mount the disk and decrypt it using the newly created file.