I installed Manjaro last week, with full disk encrypted, only /boot/efi is not encrypted. I have 3 partitions ; root, home, storage encrypted with the same passphrase so that i only need to type my passphrase once at boot, which is fine.
Now, i would like to encrypt another partition located on another nvme disk without the need of typing a passphrase twice when booting.
I do not know how to do, which options do i need to use with cryptsetup ? How to ensure that i would not need to type 2 passphrases when booting ?
I guess i need to choose luks1, aes-xts-plain64, sha256 ? What else ?
Also, do i need to define the same passphrase and embed it into /crypto_keyfile.bin ?
Another question in my mind : if i do sudo cryptsetup luksDump /dev/<partition> on any of the 3 partitions created during the installation process, I have Key Slot 0 and 1 enabled, although I have only one passphrase defined ? How is it possible ?
The only one aggressive and offended is you, because someone else doesnât take their time to go over documentation and put together commands for you, so you can copy paste them.
The question you need to pursue and answer for yourself
or ask about the answer to it
is:
âHow are your current encrypted partitions opened/decrypted?â
Once you know that, you can simply apply it to the new one.
If the new one is not essential for boot, but can become available only later on with no ill effect,
you are not even ârestrictedâ to luks version 1
⌠you may ask specific questions
explaining what you think the wiki said, what you did because of how you think it should work, and what the results where
details ⌠and your own work
Donât bash people for not doing your work for you or reminding you of it.
Iâm holding back a bit because Iâm slightly intimidated by your avatar picture and what it implies for me âŚ
How are your current encrypted partitions opened/decrypted?*
â I followed the regular Manjaro installation. So i guess i need to apply the same encryption parameters for my new partition i want to encrypt though i am not 100% this is a pre-requisite.
*If the new one is not essential for boot, but can become available only later on with no ill effect, you are not even ârestrictedâ to luks version 1
â I got it now, you replied partially to the previous question. If i consider this partition essential at boot, i understand i have to choose luks1. Do i need also to choose the exact same algorithm, hash and so on ( aes-xts-plain64, sha256âŚ) or only luks1 is required ?
Then, in the wiki, they say :
Note: Compared to the sd-encrypt hook, the encrypt hook does not support:
My new partition is on another disk indeed. But, they do not say exactly if replacing the hook encrypt by sd-encrypt, then also add systemd, sd-vconsole (then mkinitcpio -P) are the only modifications, just to be sure i can swap those hooks on the fly for an installation where âencryptâ was used.
I guess, i need to do some tests in a vm first.
I think you made a logic error here.
You are not restricted to unlocking the new partition via the initramfs.
I donât know the proper terminology, so Iâll talk as I understand it:
once the initramfs is finished, a chroot to the now unlocked base system is done
you can now do the unlocking and mounting of your new partition from within the ânormalâ system
you are not dependent on what can be done in initramfs with the encrypt hook
No need to fiddle with or swap the present hooks for systemd hooks.
Just take care of the unlocking and mounting in the ârealâ system.
No need to do all the work in initramfs.
Essentially: you can just pretend your system is not encrypted at all - and take care of your new encrypted partition from that position.
That is currently the best I can do to describe how it can be done.
Oh, i think i got it wrong somehow. During Manjaro installation, when i defined my partitions (/boot/efi, root, home and storage), i put the exact same passphrase for the last 3 ones thinking i had to do it like that to be able to enter a passphrase only once at boot.
So, i guess i could have defined 3 different passphrase if i wanted to, and enter the passphrase of the root one at boot.
I must say - I donât know - my thought is if you use passphrase you need to input it.
If you have a keyfile you can simply open by providing the key as an argument - which is what I believe crypttab is for.
Technically a keyfile can reside on a removable device - kindâa 2FA.
As described by @openminded in another topic you can even use a one-time-password authenticator application.
And I must admit that my knowledge on the matter is limited - I did succesfully create a verified boot for my laptop - but that doesnât make me an authority on the subject