User:Sakaki/Sakaki's EFI Install Guide/Extending LUKS to Protect an Additional Drive

In this mini-guide, we'll show how to easily extend your LUKS protection to cover an additional drive (or drives) on your system. This is most useful with desktop machines, where you may have multiple hard drives installed.

Prerequisites
To carry this out, you will need:
 * to have an operational systemd/EFI Gentoo system, which you have set up per the text of the main guide (you don't need to have installed GNOME, however); and
 * a secondary drive (or partition) that you would like to protect with LUKS, and have automatically mounted on boot.

Preparing systemd
First, we'll need to ensure that systemd has the cryptsetup USE flag enabled (which it does not, by default); this turns on the unit generator for, which we'll need. Open a terminal, get root, then issue:

and append the following line:

Save and exit nano; then, rebuild systemd</tt>:

<span id="preparing_new_drive">Preparing your New Drive
In the below, I'm going to assume you want to use same cryptography settings as those recommended for the main system, earlier in the tutorial, (obviously, adapt as appropriate). I will refer to the drive as ; substitute your actual device path as appropriate (, etc.). Also, if you wish to encrypt only one partition within the drive, use the relevant value instead (e.g.,, etc.) You can use the   utility in GNOME, or the lsblk</tt> command line utility, to find your device's path.

First, we will create a keyfile, and place this in the root</tt> user's home directory, within the (already LUKS-protected) root</tt> partition. Issue:

to create the key, and make it (read) accessible by the root</tt> user only.

Now, LUKS-format your new drive:

{{RootCmd
 * cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --key-file /root/crypt1.key luksFormat /dev/sdN
 * output=

WARNING!

=
This will overwrite data on /dev/sdN irrevocably.

Are you sure? (Type uppercase yes): <double-check this is OK, then type YES and press Enter> }}

Next, open the encrypted device, using the keyfile:

If that succeeded, the new device will be visible under (as ).

Next, create a filesystem on your unlocked drive.

Issue:

to create the physical volume (PV), volume group cr1</tt> (VG) and the foo</tt> and bar</tt> logical volumes (LVs).

The LVs will be visible (in this case) as and. They may be treated as any other device - so let's do that now, and format them (adapt to your own requirements):

Close the drive again:

Finally, find the UUID of the new LUKS disk (or partition); issue:

Your output will differ from the above. Note down the UUID.

<span id="configuring_crypttab_fstab">Configuring /etc/crypttab and /etc/fstab
Next, we need to set up the file. This file is processed by systemd</tt> before is read, and tells the system which cryptographically protected volumes it should unlock at boot.

Issue:

and add the following text to the file (subsituting the UUID you just noted down for the one I have used, obviously):

Save and exit nano</tt>.

That's it for the encryption side of things; with this in place, systemd</tt> will automatically unlock the LUKS container, call it, and then activate any logical volumes within it, and make these available via the device mapper too. This will be done before is processed, so you are now free to cite these LVs within your.

For example, let's suppose we wanted to mount the foo</tt> LV at, and bar</tt> at (these are just examples, obviously, adapt to your own requirements).

We need to create mountpoints, as they don't exist yet, so issue:

Then add the entries to to have them mounted. Issue:

and then append (for our example, adapt to your own requirements):

Save and exit nano</tt>.

That's it! Next time you reboot, you should have access to your new protected LVs!

Click here to rejoin the main guide.