I would like to encrypt my drives. I will reinstall everything but my question. Is there any way to encrypt my two disks with the same password and only have to type it once to log in?
If not. Should I just encrypt /home and forget about /root?
I do not want to create a single brfts module with my two disks, I did that and the performance took a hit. root disk is an expensive one and home disk is cheap just for data.
Whether you want to encrypt both root and home depends on the âattackâ you want to protect against:
lost/stolen computer: encrypted home protects your data
unnoticed access to your computer: encrypted root protects against installing keyloggers etc
Note that to be really safe, youâd need encrypted /boot here, as well.
As for the passwords: last time I had a setup like this the system would cache the passphrase while it unlocked several encrypted volumes so that having the same passphrase required 1 prompt only, unless you make a typo
Alternatively, you could use a passphrase on the first volume and a key file (stored on the first volume) for the second volume if this still matches your security considerations (key file can be copied with root access, but root access allows âeverythingâ, of course).
I have my root and home on separate disks, LUKS2, encrypted. When booting, I enter passphrase to unlock the root, where the key file for the home is located. Then cryptsetup does the job unlocking home without asking its passphrase.
I installed fedora 40 on a laptop with two drives yesterday.
I first used disk one (20GB) for the install. Then from the new OS encrypted the second disk, decrypted, wrote a btrfs partition to it. Then I created a keyfile, added the keyfile to the second disk as a ⊠well, keyfile. Then set it up in /etc/crypttab, /etc/fstab. The cmds are from my root .bash_history.
The second disk decrypts and mounts on boot (I set my /home there) - you only enter a decryption password once to decrypt both disks.
OK, so my second disk has the disk label /dev/sda.
If anyone is following this USE YOUR DISK LABEL. Otherwise the wrong disk could be wipedâŠ
cryptsetup luksFormat /dev/sda # (here set a pass as a failsafe)
dd bs=512 count=4 if=/dev/random of=/etc/keyfile iflag=fullblock
chmod 400 /etc/keyfile
cryptsetup luksAddKey /etc/keyfile /dev/sda
cryptsetup luksOpen /dev/sda lukko # use pass
mkfs.btrfs /dev/mapper/lukko # (use 0% - 100% as limits)
vi /etc/crypttab
# added:
# lukko /dev/sda /etc/keyfile luks
vi /etc/fstab
# added:
# /dev/mapper/lukko /home btrfs defaults 1 2 # (comment out other /home line)
umount /mnt/lukko
cryptsetup close lukko
reboot
This didnât exactly come from a guide. Hopefully I havenât missed anything important.
The advantage of the keyfile is that you never need the passphrase. I would still set one up, though, i.e.:
during install, set up two encrypted volumes
you may choose the same passphrase or different ones
If you choose the same passphrase, chances are that you need to enter it only once.
There is no simple way to set up a keyfile during install (unless you switch to a virtual console, set up the file system, switch back and preserve the file system). I recommend doing the install as above first.
For adding the keyfile and setting things up, you will have to use the command line (only some of the steps pointed out by @benpietras ). Depending on how you feel about doing something like this, you may prefer to stick with passphrase only as above, or weâll detail the steps (in short: create keyfile, cryptsetup luksAdkkey, edit crypttab).
To be clear, I install Fedora with two volumes, one in each disk (root and home) with passwords.
And then, with the system running, I add the key file?
Yes, please. If i could get those steps it would be great.
Now I understand what you meant with âunless you make a typoâ. In that case I will have to type my password for each disk. A key file will solve that problem
Ok, so letâs go, as root or using sudo for each command:
findmnt /home
will tell you which luks device your home is on, say luks-123-456 (itâs longer). Then,
cryptsetup status luks-123-456
will tell you which device is underlying that luks device, say /dev/diskOrPart (will be sd something, nvme something, âŠ). Next, we create a random keyfile just like Ben did (be extra sure to get the dd line right):
You will need to enter your passphrase here to confirm that youâre legit
Now, if the man page is right, you do not even need to edit /etc/crypttab because keyfiles are searched for automatically in that dir if they are named by luks device. Otherwise, change the none in the crypttab entry for your home luks device into the full path of the keyfile.
To be honest, I had problems to install Fedora 39 Silverblue with no encryption in the past, I guess because of NVIDIA.
I have a laptop with intel + NVIDIA.
Sometimes it didnât log in until NVIDIA drivers were installed.
Soooo, I tried your method, @benpietras method and nothing worked. On Fedora 40 I could log in the first time (with the same password for both disks) but once I rebooted after updating Fedora (had to do it to install NVIDIA), in the first reboot: failed to log in.
Also, if I didnât type the password right the first time (before trying to install NVIDIA), it would ask for the password for the second disk and then wouldnât log in.
I tried with Fedora 39 and 38 just in case (I didnât have any problems with 38 and NDIVIA). Same thing happened.
Whenever the second disk had to be decrypted (password or file) it wouldnât boot.
Maybe it is a graphics problem, maybe it is a disk problem, maybe it is my laptop problemâŠ
So, I just made an automatic install with encryption with the two disk under one brfts volume. And that worked. I could install NVIDIA and everything works smoothly.
Both are NVEM but one of them is faster than the other. I guess I wonât notice it much. I hope.
One btrfs partition over both encrypted disks sounds good. Downsides would be if one disk failed or a speed hit, but overall not bad.
The encryption / login has nothing to do with the graphics drivers. You can hold Ctrl-Alt-2 (or 1) to toggle to a basic CLI login if the GUI greeter freezes up. Too late to try that now.
Sorry my method didnât work for ya. Without an eye on all your setup itâs not easy to say what went wrong.
