How can i encrypt an additional partition after installation?


I installed Manjaro last week, with full disk encrypted, only /boot/efi is not encrypted. I have 3 partitions ; root, home, storage encrypted with the same passphrase so that i only need to type my passphrase once at boot, which is fine.

Now, i would like to encrypt another partition located on another nvme disk without the need of typing a passphrase twice when booting.

I do not know how to do, which options do i need to use with cryptsetup ? How to ensure that i would not need to type 2 passphrases when booting ?
I guess i need to choose luks1, aes-xts-plain64, sha256 ? What else ?

Also, do i need to define the same passphrase and embed it into /crypto_keyfile.bin ?

Another question in my mind : if i do sudo cryptsetup luksDump /dev/<partition> on any of the 3 partitions created during the installation process, I have Key Slot 0 and 1 enabled, although I have only one passphrase defined ? How is it possible ?

Thanks for your help

I think most of your questions are covered in:

You’ll just have to go over it.

1 Like

There is no answer about my specific questions in the wiki

The wiki will answer all/most of your questions, if you read it properly.

Where do you think we get the information?

Why not luks2?

You can create a passphrase when you encrypt the partition, then add a key and add an entry in /etc/crypttab.

I can’t remember why calamares sets up 2 slots. However it’s common to have a key file and a passphrase.

It does not if you read my questions properly…
Do you reply this to everybody in here ?

It does if you read it.

The only question it wouldn’t answer is why there are 2 slots being used.

Sorry, please do not waste your time…you do not reply properly as your answers are useless.

I’m just not spoon feeding you.


Please stop to be aggressive and offended, i use Manjaro for several years, but first time with encrypted disk…it’s not related to any distro.

The only one aggressive and offended is you, because someone else doesn’t take their time to go over documentation and put together commands for you, so you can copy paste them.


Please stop projecting.


The question you need to pursue and answer for yourself
or ask about the answer to it
“How are your current encrypted partitions opened/decrypted?”
Once you know that, you can simply apply it to the new one.

If the new one is not essential for boot, but can become available only later on with no ill effect,
you are not even “restricted” to luks version 1

… you may ask specific questions
explaining what you think the wiki said, what you did because of how you think it should work, and what the results where

details … and your own work

Don’t bash people for not doing your work for you or reminding you of it.

I’m holding back a bit because I’m slightly intimidated by your avatar picture and what it implies for me … :face_with_peeking_eye:

A-Team was great fun.



Thanks for your answer,

How are your current encrypted partitions opened/decrypted?*

→ I followed the regular Manjaro installation. So i guess i need to apply the same encryption parameters for my new partition i want to encrypt though i am not 100% this is a pre-requisite.

*If the new one is not essential for boot, but can become available only later on with no ill effect,
you are not even “restricted” to luks version 1

→ I got it now, you replied partially to the previous question. If i consider this partition essential at boot, i understand i have to choose luks1. Do i need also to choose the exact same algorithm, hash and so on ( aes-xts-plain64, sha256…) or only luks1 is required ?

Then, in the wiki, they say :

Note: Compared to the sd-encrypt hook, the encrypt hook does not support:

My new partition is on another disk indeed. But, they do not say exactly if replacing the hook encrypt by sd-encrypt, then also add systemd, sd-vconsole (then mkinitcpio -P) are the only modifications, just to be sure i can swap those hooks on the fly for an installation where ‘encrypt’ was used.
I guess, i need to do some tests in a vm first.

Thank you.

I love it when a plan comes together !

Regarding this:

I think you made a logic error here.
You are not restricted to unlocking the new partition via the initramfs.

I don’t know the proper terminology, so I’ll talk as I understand it:

  • once the initramfs is finished, a chroot to the now unlocked base system is done
  • you can now do the unlocking and mounting of your new partition from within the “normal” system

you are not dependent on what can be done in initramfs with the encrypt hook
No need to fiddle with or swap the present hooks for systemd hooks.
Just take care of the unlocking and mounting in the “real” system.
No need to do all the work in initramfs.

Essentially: you can just pretend your system is not encrypted at all - and take care of your new encrypted partition from that position.

That is currently the best I can do to describe how it can be done.

1 Like

You could store the key for the new container inside the root container - then add it to cryptab - totally untested - I think it would be the easiest.

first generate a keyfile

head -c 2048 /dev/urandom | od | tee /etc/<partkeyname>

Then setup the new container - using the keyfile

cryptsetup luksFormat -q /dev/<partnumber> --key-file /etc/<partkeyname>
1 Like

Alright, i got it, i am not dependent at this point because this new partition is not a root one.

Yes, i will test that, it’s easier indeed. But, do i need also both key and passphrase ?

If you use crypttab the partition is unlocked automagically - as the separate addition it requires a key - see dm-crypt/System configuration - ArchWiki

In the lines I use -q to skip the default password prompt.

You could possibly mogrify the following snippet to suit your purpose - lines 172-187 from my utility script

1 Like

Oh, i think i got it wrong somehow. During Manjaro installation, when i defined my partitions (/boot/efi, root, home and storage), i put the exact same passphrase for the last 3 ones thinking i had to do it like that to be able to enter a passphrase only once at boot.

So, i guess i could have defined 3 different passphrase if i wanted to, and enter the passphrase of the root one at boot.

I must say - I don’t know - my thought is if you use passphrase you need to input it.

If you have a keyfile you can simply open by providing the key as an argument - which is what I believe crypttab is for.

Technically a keyfile can reside on a removable device - kind’a 2FA.

As described by @openminded in another topic you can even use a one-time-password authenticator application.

And I must admit that my knowledge on the matter is limited - I did succesfully create a verified boot for my laptop - but that doesn’t make me an authority on the subject :grin:

1 Like