Hi,
I have Fedora’s root partition and my /home partition on a fast 500GB NVME drive. The 450GB for /home just isn’t enough for all my data. So some of my data, mostly data I don’t touch very often, resides on another, internal 3 or 4 TB SATA-connected HDD (luks-encrypted, ext4 fs).
What are the possibilities and which is the most elegant way to auto-mount that luks-encrypted data partition to /home/data?
If you are using GNOME you can use GNOME Disk Utility to do this. Back when I used GNOME and had my RAID setup in my main desktop, I used to mount my RAID to ~/Music until I got myself a NAS and got rid of the desktop. It’s been several years, so I can’t remember exactly how I did it. But I seem to remember I would select the RAID array in GNOME Disk Utility and then click the partition options button. One of the options was to edit the mount point settings.
IMO the most elegant way is to add the data disk it to /etc/crypttab and to /etc/fstab. If your root partition is also LUKS encrypted, you could create a keyfile for your data disk and store it on the root partition and reference it in /etc/crypttab, so that no passphrase is required during system startup.
Just remember to add the nofail flag to /etc/fstab, as to not get locked out of the system in case the disk was not found.
I prefer that solution too, however, I don’t really know what Gnome disks does. Does it also add an fstab and crypttab entry?
Also, I prefer not to store a keyfile on my root partition - if I don’t provide it, can I just enter a passphrase when the system starts up, just as I do with my root partition? I would like to have the same passphrase for / partition, /home partition and my "data" partition. How is it possible to enter the passphrase only once?
The settings in GNOME Disks are usually user-session based, but it can be used to place an entry in /etc/crypttab as well, if you’d like to avoid editing the file directly.
For that, you’d need to switch off the User Session Defaults switch (after having selected the encrypted partition in GNOME Disks and selected the Edit Encryption Options from the contextual menu). This would add an entry into /etc/crypttab. I assume that if you provide a passphrase in GNOME Disks, and check Unlock at system startup, then the disk will be unlocked at login (so user based).
However, if you want the disk to be unlocked and mounted at system startup, then an entry in /etc/fstab will have to be manually entered. In this case I would reset the entry in GNOME Disks to User Session Defaults (after having previously copied the entry from /etc/crypttab), as to not have multiple mount points, the re-add the entry to /etc/crypttab, and add an entry to /etc/fstab, using the nofail flag.
In order to obtain the UUID of the unlocked data partition, you can use the lsblk -f command, with the data disk unlocked and mounted, or from GNOME Disks.
I don’t think there’s the option of entering the passphrase only once for multiple encrypted disks, it doesn’t really make sense from a security POV. That’s where additional keyfiles come in handy, as log as the partition where these are stored is also encrypted.
I think it’s is (or at least was) the default in the installer when placing /home in separate encrypted volume (same VG), on another disk.
