How can i encrypt an additional partition after installation?

ChrisCanyon · 29 March 2024 11:12

Hello,

I installed Manjaro last week, with full disk encrypted, only /boot/efi is not encrypted. I have 3 partitions ; root, home, storage encrypted with the same passphrase so that i only need to type my passphrase once at boot, which is fine.

Now, i would like to encrypt another partition located on another nvme disk without the need of typing a passphrase twice when booting.

I do not know how to do, which options do i need to use with cryptsetup ? How to ensure that i would not need to type 2 passphrases when booting ?
I guess i need to choose luks1, aes-xts-plain64, sha256 ? What else ?

Also, do i need to define the same passphrase and embed it into /crypto_keyfile.bin ?

Another question in my mind : if i do sudo cryptsetup luksDump /dev/<partition> on any of the 3 partitions created during the installation process, I have Key Slot 0 and 1 enabled, although I have only one passphrase defined ? How is it possible ?

Thanks for your help

zbe · 29 March 2024 12:33

I think most of your questions are covered in:
https://wiki.archlinux.org/title/dm-crypt

You’ll just have to go over it.

ChrisCanyon · 29 March 2024 16:20

There is no answer about my specific questions in the wiki

dmt · 29 March 2024 16:41

The wiki will answer all/most of your questions, if you read it properly.

Where do you think we get the information?

Why not luks2?

You can create a passphrase when you encrypt the partition, then add a key and add an entry in /etc/crypttab.

I can’t remember why calamares sets up 2 slots. However it’s common to have a key file and a passphrase.

ChrisCanyon · 29 March 2024 16:46

It does not if you read my questions properly…
Do you reply this to everybody in here ?

dmt · 29 March 2024 16:48

It does if you read it.

The only question it wouldn’t answer is why there are 2 slots being used.

ChrisCanyon · 29 March 2024 16:49

Sorry, please do not waste your time…you do not reply properly as your answers are useless.

dmt · 29 March 2024 16:50

I’m just not spoon feeding you.

ChrisCanyon · 29 March 2024 16:54

Please stop to be aggressive and offended, i use Manjaro for several years, but first time with encrypted disk…it’s not related to any distro.

zbe · 29 March 2024 17:03

The only one aggressive and offended is you, because someone else doesn’t take their time to go over documentation and put together commands for you, so you can copy paste them.

dmt · 29 March 2024 17:04

Please stop projecting.

Nachlese · 29 March 2024 19:02

The question you need to pursue and answer for yourself
or ask about the answer to it
is:
“How are your current encrypted partitions opened/decrypted?”
Once you know that, you can simply apply it to the new one.

If the new one is not essential for boot, but can become available only later on with no ill effect,
you are not even “restricted” to luks version 1

… you may ask specific questions
explaining what you think the wiki said, what you did because of how you think it should work, and what the results where

details … and your own work

Don’t bash people for not doing your work for you or reminding you of it.

I’m holding back a bit because I’m slightly intimidated by your avatar picture and what it implies for me …

A-Team was great fun.

Cheers!

ChrisCanyon · 30 March 2024 12:18

Thanks for your answer,

How are your current encrypted partitions opened/decrypted?*

→ I followed the regular Manjaro installation. So i guess i need to apply the same encryption parameters for my new partition i want to encrypt though i am not 100% this is a pre-requisite.

*If the new one is not essential for boot, but can become available only later on with no ill effect,
you are not even “restricted” to luks version 1

→ I got it now, you replied partially to the previous question. If i consider this partition essential at boot, i understand i have to choose luks1. Do i need also to choose the exact same algorithm, hash and so on ( aes-xts-plain64, sha256…) or only luks1 is required ?

Then, in the wiki, they say :

Note: Compared to the sd-encrypt hook, the encrypt hook does not support:

Unlocking multiple encrypted disks (archlinux/mkinitcpio/mkinitcpio#231). Only one device can be unlocked in the initramfs

My new partition is on another disk indeed. But, they do not say exactly if replacing the hook encrypt by sd-encrypt, then also add systemd, sd-vconsole (then mkinitcpio -P) are the only modifications, just to be sure i can swap those hooks on the fly for an installation where ‘encrypt’ was used.
I guess, i need to do some tests in a vm first.

Thank you.

I love it when a plan comes together !

Nachlese · 30 March 2024 12:41

Regarding this:

I think you made a logic error here.
You are not restricted to unlocking the new partition via the initramfs.

I don’t know the proper terminology, so I’ll talk as I understand it:

once the initramfs is finished, a chroot to the now unlocked base system is done
you can now do the unlocking and mounting of your new partition from within the “normal” system

you are not dependent on what can be done in initramfs with the encrypt hook
No need to fiddle with or swap the present hooks for systemd hooks.
Just take care of the unlocking and mounting in the “real” system.
No need to do all the work in initramfs.

Essentially: you can just pretend your system is not encrypted at all - and take care of your new encrypted partition from that position.

That is currently the best I can do to describe how it can be done.

linux-aarhus · 30 March 2024 12:45

You could store the key for the new container inside the root container - then add it to cryptab - totally untested - I think it would be the easiest.

first generate a keyfile

head -c 2048 /dev/urandom | od | tee /etc/<partkeyname>

Then setup the new container - using the keyfile

cryptsetup luksFormat -q /dev/<partnumber> --key-file /etc/<partkeyname>

ChrisCanyon · 30 March 2024 12:48

Alright, i got it, i am not dependent at this point because this new partition is not a root one.

ChrisCanyon · 30 March 2024 12:48

Yes, i will test that, it’s easier indeed. But, do i need also both key and passphrase ?

linux-aarhus · 30 March 2024 12:51

If you use crypttab the partition is unlocked automagically - as the separate addition it requires a key - see dm-crypt/System configuration - ArchWiki

In the lines I use -q to skip the default password prompt.

You could possibly mogrify the following snippet to suit your purpose - lines 172-187 from my utility script

ChrisCanyon · 30 March 2024 13:06

Oh, i think i got it wrong somehow. During Manjaro installation, when i defined my partitions (/boot/efi, root, home and storage), i put the exact same passphrase for the last 3 ones thinking i had to do it like that to be able to enter a passphrase only once at boot.

So, i guess i could have defined 3 different passphrase if i wanted to, and enter the passphrase of the root one at boot.

linux-aarhus · 30 March 2024 13:15

I must say - I don’t know - my thought is if you use passphrase you need to input it.

If you have a keyfile you can simply open by providing the key as an argument - which is what I believe crypttab is for.

Technically a keyfile can reside on a removable device - kind’a 2FA.

As described by @openminded in another topic you can even use a one-time-password authenticator application.

And I must admit that my knowledge on the matter is limited - I did succesfully create a verified boot for my laptop - but that doesn’t make me an authority on the subject