Unlocking several crypto discs during boot

Volker Wysk post at volker-wysk.de
Sat Oct 14 18:28:42 UTC 2017 

Am Freitag, 13. Oktober 2017, 20:21:05 CEST schrieb Xen:
> Volker Wysk schreef op 13-10-2017 19:46:
> > -------------
> > This could be done better by making the user enter just one password,
> > and
> > unlocking all matching crypto disks with it. So I would set the same
> > password
> > for both crypto disks, and would have to enter the password only once.
> > This is
> > my feature request.
> > -----snip----
> 
> So how would you propose you would configure this?

This could be done automatically. No configuration needed.


> See the problem is that you are using a PV sitting in a LUKS container
> on a different disk.
> 
> If your LUKS container was sitting IN the cached LV (origin) there would
> be no need for a second LUKS container because the cache would be
> automatically encrypted.

I don't understand. How could a LUKS container sit inside a LV? Do you mean 
"inside the PV of the origin LV"?

 
> That means you would have this kind of setup:
> 
> /dev/sda1 ---> PV ---> VG ---> origin LV ---> LUKS ---> PV ----> VG
> ----> partitions
> 
> If you wanted multiple cached partitions.
> 
> If you don't want multiple cached partitions it becomes simply this:
> 
> /dev/sda1 ---> PV ---> VG ---> root origin LV ---> LUKS ---> filesystem
>                            ---> unencrypted LV
>                            ---> unencrypted LV
> 
> /dev/sdb1 ---> PV ---> VG ---> root cache LV
> 
> This seems to be the preferred setup for encrypting and caching just the
> root filesystem.

I have this situation: The /dev/sda3 partition is encrypted (using LUKS). The 
encrypted partition (/dev/sda3_crypt) is made a PV, and the root LV is inside 
that PV. The root filesystem resides inside that LV.

This would be better: The /dev/sda3 partition is a PV, and the root LV is made 
inside it. Then the root LV gets encrypted. This way, a keyfile could be used, 
and no second password was needed. (I believe, not quite sure).

The first possibility is what the Kununtu installer makes, when you chose "Use 
the whole disk and configure encrypted LVM" (or similar). The manual 
configuration of the partitions was broken when I installed my 16.04.


> Your usecase is really not particular to caching. It is particular to
> having multiple disks.
> 
> Or having multiple disks with LUKS containers.

I'ts particular to not being able to unlock LUKS containers via keyfiles.

> So your feature request is really for decryption of multiple 'adjacent'
> partitions that happen to have the same password.

Something like that.


Cheers
Volker

More information about the ubuntu-users mailing list