How to add another disk to luks encryption

Support
3

Hi and welcome to the forum :+1:

First of all, you need to understand that luks encryption does not support chaining different drives/partitions like RAID or LVM.
So you canā€™t ā€œAdd another diskā€ to that encryption like your title suggestsā€¦
You can however add another disk/partition to the entire system which can be encrypted also. :wink:

So going by the intention that you want to add another disk to your system while using encryption on that also:
For comparision this is my current setup:

  • My ESP is on a different disk as my OS.
  • I use full disk LUKS2 on my OSā€™s HD.
  • I keep my LUKS2 password(s) inside the initrd, which is stored under /boot
  • I mount my ESP at /efi and do a bind-mount of a subdir of the ESP as /boot
    I plan on moving this ESP to an USB Stick :wink:

You could make use of /etc/crypttab.initramfs which will become /etc/crypttab on the initramfs only.
In there you could use the same password or an entirely different one for the extra SSD disk.
Just make sure to include the file(s) with the password(s) inside the initrd when you reference it inside that /etc/crypttab.initramfs.
(If you donā€™t you will be prompted for the password at boot)

I have the file(s) with the password(s) used in the crypttab, mentioned above, placed under /etc/cryptfs-keys.d/
And use this inside the /etc/mkinitcpio.conf to copy them into the initrd

FILES=(
    /etc/cryptfs-keys.d/root
#    /etc/cryptfs-keys.d/swap
)

(Yes i disabled swap on disk for my setup and use a zram because of my extra RAM)

I also make use of these in same file to apply personal preferences to my bootup:

HOOKS=(
    base
    systemd
    autodetect
    modconf
    block
    keyboard
    keymap
#    sd-vconsole
    sd-encrypt
    sd-lvm2
#    lvm2
    filesystems
    bootsplash-manjaro
#    bootsplash-vendor
#    bootsplash-xfce
    fsck
#    consolefont
)

At first thought you would maybe say: "But the passwords are still on the hard-disk, and on top of that you also place them inside the initrd, and you are right but you donā€™t need to be afraid of them.

  • Your Operating System is stored inside a LUKS2 container in encrypted form, so it is relatively safe from outsiders.
  • The only place they are still in plain-text form is the initrd, but as i mentioned i plan to move the whole ESP where it is stored onto an USB-Stick which i will be able to unplug and carry around with me :wink: