Today's scenario was a laptop with an SSD and a spinning disk, and the goal was to deploy a Debian system on it so that as many things as possible are encrypted.
My preferred option for it is to setup one big LUKS partition in each disk, and put a LVM2 Physical Volume inside each partition. At boot, the two LUKS partition are opened, their contents are assembled into a Volume Group, and I can have everything I want inside.
This has advantages:
- if any of the disks breaks, the other can still be unlocked, and it should still be possible to access the LVs inside it
- once boot has happened, any layout of LVs can be used with no further worries about encryption
- I can use pvmove to move partitions at will between SSD and spinning disks, which means I can at anytime renegotiate the tradeoffs between speed and disk space.
However, by default this causes cryptsetup to ask for the password once for each LUKS partition, even if the passwords are the same.
Searching for ways to mitigate this gave me unsatisfactory results, like:
- decrypt the first disk, and use a file inside it as the keyfile to decrypt the second one. But in this case if the first disk breaks, I also lose the data in the second disk.
- reuse the LUKS session key for the first disk in the second one. Same problem as before.
- put a detached LUKS header in /boot and use it for both disks, then make regular backups of /boot. It is an interesting option that I have not tried.
The solution that I found was something that did not show up in any of my search results, so I'm documenting it here:
# <target name> <source device> <key file> <options>
ssd /dev/sda2 main luks,initramfs,discard,keyscript=decrypt_keyctl
spin /dev/sdb1 main luks,initramfs,keyscript=decrypt_keyctl
This caches each password for 60 seconds, so that it can be reused to unlock
other devices that use it. The documentation can be found at the beginning of
/lib/cryptsetup/scripts/decrypt_keyctl, beware of the leopard™.
main is an arbitrary tag used to specify which devices use the same password.
This is also useful to work easily with multiple LUKS-on-LV setups:
# <target name> <source device> <key file> <options>
home /dev/mapper/myvg-chome main luks,discard,keyscript=decrypt_keyctl
backup /dev/mapper/myvg-cbackup main luks,discard,keyscript=decrypt_keyctl
swap /dev/mapper/myvg-cswap main swap,discard,keyscript=decrypt_keyctl