Supply one password for multiple encrypted partitions luks

[prologen]

Hi.

I have two encrypted partitions, one at HDD other at SSD. But I'm tired of every boot to have to supply the same password for both.

The passwords are requested in OpenRC guided boot process. There's a way to configure dmcrypt init.d script to decrypt both at the same time? For now, the script treats each partition in fstab seems as having different keys of course.

Thanks!

[The Doctor]

You don't want one password per se.

The way this is handled is to add keyfiles to all the partitions except root. Root then opens and runs the dm_crypt service which uses the keyfiles to open all the other partitions. This way it is invisible to the user. Of course some configuration is required. If the root isn't safe put the key in the first encrypted partition. Then you only need one password.

I offer the manual
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

[389292]

You can put the keyfile to the root of encrypted initrd image, and encrypt it with your masterpassword, then you will only decrypt the initrd image during boot, and everything else is done via init script of your initramfs.
https://wiki.gentoo.org/wiki/Custom_Initramfs
https://wiki.gentoo.org/wiki/Early_Userspace_Mounting

[mike155]

What you want works out of the box under Systemd. No configuration needed - it just works.

[hrnick]

I'm waking this thread to life again since I believe it to be relevant to the topic.

I have my root on one disk and home partition on another and I have to enter a password twice for the encrypted volumes when I boot now. I sort of like the idea of being able to access my home partition with a passphrase in case I would need to boot from a rescue USB stick and access anything from there. Would adding a keyfile override the passphrase option or could they exist in parallel, i.e. could I have Gentoo automatically mount my home partition using a keyfile and still access is using the passphrase if I would need to?

Thanks!

[Hu]

According to man cryptsetup, LUKS has 8 key slots. You can have up to 8 different ways to unlock the device. A key file on root, as described earlier in the thread, and an emergency password, would constitute 2 ways, leaving you 6 slots unused. You want to use luksAddKey, which will request an existing passphrase in order to obtain the encryption key, then will store a new copy of that encryption key sealed by the new key, which can be either a new passphrase or a key file.

[sublogic]

[hrnick]

[hrnick]

So I added a keyfile in slot 1 with the passphrase still in slot 0 and I can luksOpen the device with both but there are no lvm volume found. The volume group is found using vgscan, lvs lists home as not active (-wi-------) and lvdisplay shows LV Status NOT available. Also when running mkfs I get a warning message that a file system is found.

It seems as if the volume has not been activated but I cannot find any /dev/vg2/ to try to active it. Any ideas on how to fix this? Running vgchange -a y vg2 gives me a Device or resource busy error message. Thanks!

[Hu]

I believe vgchange -a y is the typical answer here. Please post the output of pvs; vgs; lvs; vgchange -a y. Also, if you can see the logical volumes, then that suggests LUKS is working properly. You now have an LVM problem, not a LUKS problem.

[Princess Nell]

hrnick, did you run into news item 2022-11-19? Your description sounds eerily familiar.
https://forums.gentoo.org/viewtopic-t-1160358.html