1

How do we unlock multiple disks with one password prompt at CentOS-7 bootup? In Debian, I can do it using decrypt_keyctl & initramfs in /etc/crypttab (which I see is described here).

Right now, I'm using Nethserver, and crypttab looks like:

luks_root   UUID=<uuid1>   none
luks_swap   UUID=<uuid2>   none

How do I add another disk, which I want to decrypt via a (the same) password?

Perhaps that will also clear up the mystery of how it is that the present bootup happens with only one password prompt and without a keyfile.

Diagon
  • 600
  • 4
  • 13

2 Answers2

2

It turns out the answer is actually Method1 in this answer. It applies to both Ubuntu and CentOS. Quoting:

Systemd ... will unlock all additional LUKS partitions if

  1. all of the partitions you want to unlock use the same password
  2. you enter the password for the root partition correctly the first time. If you get it wrong, you'll need to enter it again for every other LUKS partition
Diagon
  • 600
  • 4
  • 13
  • Hm, this doesn't work on Ubuntu 20.04 with 2 encrypted partitions on 2 disks. Password needs to be entered 2 times then. – maxschlepzig Nov 28 '20 at 18:31
  • Ok, that's bad news. I'm not running 20.04 yet, so I can't check it on my machine. Let us know if you find a solution, huh? thanks. – Diagon Nov 30 '20 at 00:32
  • [This answer](https://unix.stackexchange.com/a/392286/1131) works fine. (i.e. first method with the mentioned workaround) – maxschlepzig Nov 30 '20 at 21:18
  • Thanks. Problem is, on another machine I use this approach to open two LUKS disks that form a BtrFS-RAID1. So on that machine, I really need to open both simultaneously before getting to root. So if it's not Debian based, which would include decrypt_keyctl, then it LL I'll be stuck. – Diagon Dec 01 '20 at 11:08
0

Is your crypttab complete? I don't see a configured keyfile...so I don't know how to do this without keyfiles.

The normal way, as far as I know, is to create and attach keyfiles to every luks container and use these to unlock. All the keyfiles should be contained in one luks container. This container, you can unlock via passphrase and then the keyfiles are available for unlocking the other containers.

thinkingeye
  • 179
  • 2
  • It is, indeed, complete. I understand what you are saying, but I do want to do this with a password, as I do on Debian, rather than a keyfile. – Diagon Aug 12 '19 at 09:59