encryptionbtrfsluks

Auto decrypt multiple LUKS Devices with Mandos


I played around with Mandos to automatically open an encrypted root device. I wanted to setup an encrypted btrfs raid 1 (sda1 and sdb1: LUKS). The first device is decrypted correctlly, but the second will noch be opened. Is there a way to do this?


Solution

  • The solution is relative simple:

    Instead of adding your disks to /etc/crypttab, add them directly to /etc/initramfs-tools/conf.d/cryptroot and don't forget the keyscript part (keyscript=/lib/mandos/plugin-runner).

    /etc/initramfs-tools/conf.d/cryptroot: target=sda2_crypt,source=UUID=0f47884b-fb02-478e-b4dd-c594cf1cbbf1,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner target=sdb2_crypt,source=UUID=65f16e28-5b74-4b1f-9f81-01729244ac2c,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner

    To be sure the complete cryptsetup stack is compiled correctly into the initramfs, add a dummy device to /etc/crypttab. Take care to add noauto, otherwise it will try to unlock the device on startup and will fail.

    /etc/crypttab: dummy_device UUID=087963da-63bb-439b-bb5a-15e712d02a29 none noauto,luks,discard