I’ve written in the past on Adding an external encrypted drive with LVM to Ubuntu Linux and Adding a LUKS-encrypted iSCSI volume to Synology DS414 NAS but I neglected to mention how to automatically decrypt additional volumes.
When installing a fresh copy of Ubuntu one of the options is to install with a LUKS-encrypted Logical Volume Manager Volume Group (LVM VG). This puts your root volume on the encrypted LVM VG. When you power up your machine Ubuntu prompts you to enter the decryption passphrase in order to decrypt the VG and start your computer. Without the passphrase the contents of your hard drive are unreadable.
If you add encrypted external drives and/or additional VGs you will end up with multiple encrypted volumes. Ubuntu will prompt you for the passphrase of each additional encrypted volume when you boot up the machine.
If you don’t want to enter multiple, different passphrases each time you boot, you can store the passphrases for additional volumes on the encrypted root filesystem of your first drive using the /etc/crypttab
file. You’ll just be prompted for one passphrase, of the first VG, and that decrypts the passphrases needed to decrypt the additional volumes.
Here’s how it works.
The /etc/crypttab
file contains 4 fields per line: the name of the encrypted volume, a UUID identifying the storage device, the name of a file with the decryption passphrase, and encryption options.
nvme0n1p5 UUID=405d8c73-1cf9-4b2c-9b8e-c76b90d27c67 none luks,discard datastorage UUID=f2d73ac8-1ef1-4735-9dd4-9e778fc9e781 /root/.luks-datastorage luks,discard external1 UUID=0140476b-dd0b-4aab-b7d4-2f5fa14d1a0c /root/.luks-backupexternal1 luks external2 UUID=610a67d4-c4f6-4b73-a824-a437971e8d24 /root/.luks-backupexternal2 luks iscsi UUID=b106b749-f4ab-44be-8962-6ff867dc074e /root/.luks-backupiscsi luks
The first volume, nvme0n1p5
, is the encrypted boot volume. It contains the root filesystem and the /root
home directory. The third field is “none
” which means that Ubuntu will prompt you for a decryption passphrase in order to unlock and decrypt the drive.
The remaining volumes have files defined that contain the decryption passphrase for each volume. Those files are hidden files in the /root
home directory. Once the nvme0n1p5
volume is decrypted and mounted, the remaining volumes are automatically decrypted using the passphrases stored in the hidden files.
The end result is that all of your drives are encrypted, but you only have to enter one passphrase to unlock all of your drives.
Hope you find this useful.