m01_Extending_LUKS_to_Protect_an_Additional_Drive

In this mini-guide, we'll show how to easily extend your LUKS protection to cover an additional drive (or drives) on your system. This is most useful with desktop machines, where you may have multiple hard drives installed.

{{Note|If you simply wish to protect a removable drive (such as a USB key), it's easier to rely on the tools already in GNOME; you can use the {{c|Disks}} utility to format your drive with encryption (see [https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage this guide], for example), and then have it unlocked automatically (assuming you are logged in) on insertion (to do so, just opt to allow GNOME to remember your passphrase for the drive, when first prompted).}}

== <span id="prerequisites">Prerequisites</span> ==

To carry this out, you will need:
* to have an operational {{c|systemd}}/{{c|EFI}} {{c|Gentoo}} system, which you have set up per the text of the main guide (you don't need to have installed GNOME, however); and
* a secondary drive (or partition) that you would like to protect with LUKS, and have automatically mounted on boot.

== <span id="preparing_systemd">Preparing systemd</span> ==

First, we'll need to ensure that {{c|systemd}} has the {{c|cryptsetup}} USE flag enabled (which it does not, by default); this turns on the unit generator for {{Path|/etc/crypttab}}, which we'll need. Open a terminal, get {{c|root}}, then issue:

{{RootCmd
|nano -w /etc/portage/package.use
}}
and append the following line:
{{FileBox|filename=/etc/portage/package.use|title=Append this line to enable the crypttab unit generator|lang=bash|1=
sys-apps/systemd  cryptsetup
}}
Save and exit {{c|nano}}; then, rebuild {{c|systemd}}:
{{RootCmd
|emerge --ask --verbose --oneshot sys-apps/systemd
|output=<pre>
... additional output suppressed ...
Would you like to merge these packages? [Yes/No] <press y, then press Enter>
... additional output suppressed ...
</pre>
}}

== <span id="preparing_new_drive">Preparing your New Drive</span> ==

In the below, I'm going to assume you want to use [[../Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key#Formatting_the_New_Partition_with_LUKS|same cryptography settings]] as those recommended for the main system, earlier in the tutorial (obviously, adapt as appropriate). I will refer to the drive as {{Path|/dev/sdN}}; substitute your actual device path as appropriate ({{Path|/dev/sdc}}, {{Path|/dev/sdd}} etc.). Also, if you wish to encrypt only one partition within the drive, use the relevant value instead (e.g., {{Path|/dev/sdc1}}, {{Path|/dev/sdd1}} etc.) You can use the <code>Disks</code> utility in GNOME, or the {{c|lsblk}} command line utility, to find your device's path.

First, we will create a keyfile, and place this in the {{c|root}} user's home directory, within the (already LUKS-protected) {{c|root}} partition. Issue:
{{RootCmd
|touch /root/crypt1.key
|chmod 400 /root/crypt1.key
|dd if{{=}}/dev/urandom of{{=}}/root/crypt1.key bs{{=}}512 count{{=}}1
}}
to create the key, and make it (read) accessible by the {{c|root}} user only.

{{Note|We do '''not''' {{c|gpg}}-encrypt this keyfile, as we need it to be unlocked automatically. The key 'lives' in a LUKS-protected location already, so this is safe to do.}}

Now, LUKS-format your new drive:
{{Warning|This will '''destroy''' any existing data on the drive! Make sure you have the device path correct before proceeding.}}
{{RootCmd
|cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --key-file /root/crypt1.key luksFormat /dev/sdN
|output=<pre>

WARNING!
========
This will overwrite data on /dev/sdN irrevocably.

Are you sure? (Type uppercase yes): <double-check this is OK, then type YES and press Enter>
</pre>
}}
{{Note|Replace {{Path|/dev/sdN}} in the above command (and where used subsequently) with that of your new drive, or, if appropriate, the partition within it (e.g., {{Path|/dev/sdc}}, {{Path|/dev/sdd}} etc. for a drive; {{Path|/dev/sdc1}}, {{Path|/dev/sdd1}} etc. for a partition).}}

Next, open the encrypted device, using the keyfile:
{{RootCmd
|cryptsetup luksOpen --key-file /root/crypt1.key /dev/sdN crypt1
}}

If that succeeded, the new device will be visible under {{Path|/dev/mapper}} (as {{Path|/dev/mapper/crypt1}}).

Next, create a filesystem on your unlocked drive.

{{Note|You can simply create an {{c|ext4}} or similar filesystem if you like; however, to illustrate the most complex (normal) case, in this example we're going to create an {{c|LVM}} setup, with (arbitrarily) two logical volumes {{c|foo}} and {{c|bar}} on top of {{Path|/dev/mapper/crypt1}}, each of 10GiB (and each of which will later be formatted {{c|ext4}}). Obviously, adapt the number of logical volumes, their sizes, and their names to your own requirements.}}

Issue:
{{RootCmd
|pvcreate /dev/mapper/crypt1
|vgcreate cr1 /dev/mapper/crypt1
|lvcreate --size 10G --name foo cr1
|lvcreate --size 10G --name bar cr1
|vgchange --activate y cr1
}}
to create the physical volume (PV), volume group {{c|cr1}} (VG) and the {{c|foo}} and {{c|bar}} logical volumes (LVs).

The LVs will be visible (in this case) as {{Path|/dev/mapper/cr1-foo}} and {{Path|/dev/mapper/cr1-bar}}. They may be treated as any other device - so let's do that now, and format them (adapt to your own requirements):
{{RootCmd
|mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-foo
|mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-bar
}}

Close the drive again:
{{RootCmd
|cryptsetup luksClose crypt1
}}

Finally, find the UUID of the new LUKS disk (or partition); issue:
{{RootCmd
|blkid /dev/sdN
|output=<pre>
/dev/sdN: UUID="45f1f1af-025b-4395-8a33-7ef0a4709329" TYPE="crypto_LUKS"
</pre>
}}
Your output will differ from the above. Note down the UUID.
{{Note|If you have your new LUKS set up on a partition, rather than a whole drive, ''ignore'' the PARTUUID, and note the UUID only.}}

== <span id="configuring_crypttab_fstab">Configuring /etc/crypttab and /etc/fstab</span> ==

Next, we need to set up the file {{Path|/etc/crypttab}}. This file is processed by {{c|systemd}} ''before'' {{Path|/etc/fstab}} is read, and tells the system which cryptographically protected volumes it should unlock at boot.
{{Note|For more information about the format of {{Path|/etc/crypttab}}, see <kbd>man crypttab</kbd>.}}

Issue:
{{RootCmd
|nano -w /etc/crypttab
}}

and add the following text to the file (subsituting the UUID you just noted down for the one I have used, obviously):
{{FileBox|filename=/etc/crypttab|title=Specifying a LUKS volume to automatically unlock at boot|1=
crypt1  UUID=45f1f1af-025b-4395-8a33-7ef0a4709329  /root/crypt1.key  luks
}}
Save and exit {{c|nano}}.

That's it for the encryption side of things; with this in place, {{c|systemd}} will automatically unlock the LUKS container, call it {{Path|/dev/mapper/crypt1}}, and then activate any logical volumes within it, and make these available via the device mapper too. This will be done ''before'' {{Path|/etc/fstab}} is processed, so you are now free to cite these LVs within your {{Path|/etc/fstab}}.

For example, let's suppose we wanted to mount the {{c|foo}} LV at {{Path|/mnt/foo}}, and {{c|bar}} at {{Path|/home/bar}} (these are just examples, obviously, adapt to your own requirements).

We need to create mountpoints, as they don't exist yet, so issue:
{{RootCmd
|mkdir -pv /mnt/foo /home/bar
}}

Then add the entries to {{Path|/etc/fstab}} to have them mounted. Issue:
{{RootCmd
|nano -w /etc/fstab
}}

and then ''append'' (for our example, adapt to your own requirements):
{{FileBox|filename=/etc/fstab|title=Append, to specify mountpoints for our newly created LVs|1=
/dev/mapper/cr1-foo    /mnt/foo    ext4    defaults    0 2
/dev/mapper/cr1-bar    /home/bar   ext4    defaults    0 2
}}
Save and exit {{c|nano}}.
{{Note|For more information about the format of {{Path|/etc/fstab}}, see <kbd>man fstab</kbd>.}}

That's it! Next time you reboot, you should have access to your new protected LVs!

To rejoin the main guide, click [[../Using_Your_New_Gentoo_System#additional_mini_guides|here ({{c|systemd}})]] or [[../Using_Your_New_Gentoo_System_under_OpenRC#additional_mini_guides|here ({{c|OpenRC}})]].