User:Sakaki/Sakaki's EFI Install Guide/Extending LUKS to Protect an Additional Drive

In this mini-guide, we'll show how to easily extend your LUKS protection to cover an additional drive (or drives) on your system. This is most useful with desktop machines, where you may have multiple hard drives installed.

Prerequisites
To carry this out, you will need:
 * to have an operational / system, which you have set up per the text of the main guide (you don't need to have installed GNOME, however); and
 * a secondary drive (or partition) that you would like to protect with LUKS, and have automatically mounted on boot.

Preparing systemd
First, we'll need to ensure that has the  USE flag enabled (which it does not, by default); this turns on the unit generator for, which we'll need. Open a terminal, get, then issue:

and append the following line:

Save and exit ; then, rebuild :

Preparing your New Drive
In the below, I'm going to assume you want to use same cryptography settings as those recommended for the main system, earlier in the tutorial (obviously, adapt as appropriate). I will refer to the drive as ; substitute your actual device path as appropriate (, etc.). Also, if you wish to encrypt only one partition within the drive, use the relevant value instead (e.g.,, etc.) You can use the   utility in GNOME, or the  command line utility, to find your device's path.

First, we will create a keyfile, and place this in the user's home directory, within the (already LUKS-protected)  partition. Issue:

to create the key, and make it (read) accessible by the user only.

Now, LUKS-format your new drive:

{{RootCmd
 * cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --key-file /root/crypt1.key luksFormat /dev/sdN
 * output=

WARNING!

=
This will overwrite data on /dev/sdN irrevocably.

Are you sure? (Type uppercase yes):  }}

Next, open the encrypted device, using the keyfile:

If that succeeded, the new device will be visible under (as ).

Next, create a filesystem on your unlocked drive.

Issue:

to create the physical volume (PV), volume group (VG) and the  and  logical volumes (LVs).

The LVs will be visible (in this case) as and. They may be treated as any other device - so let's do that now, and format them (adapt to your own requirements):

Close the drive again:

Finally, find the UUID of the new LUKS disk (or partition); issue:

Your output will differ from the above. Note down the UUID.

Configuring /etc/crypttab and /etc/fstab
Next, we need to set up the file. This file is processed by before  is read, and tells the system which cryptographically protected volumes it should unlock at boot.

Issue:

and add the following text to the file (subsituting the UUID you just noted down for the one I have used, obviously):

Save and exit.

That's it for the encryption side of things; with this in place, will automatically unlock the LUKS container, call it, and then activate any logical volumes within it, and make these available via the device mapper too. This will be done before is processed, so you are now free to cite these LVs within your.

For example, let's suppose we wanted to mount the LV at, and  at  (these are just examples, obviously, adapt to your own requirements).

We need to create mountpoints, as they don't exist yet, so issue:

Then add the entries to to have them mounted. Issue:

and then append (for our example, adapt to your own requirements):

Save and exit.

That's it! Next time you reboot, you should have access to your new protected LVs!

To rejoin the main guide, click here or here.