Automount encrypted disk

U

user973249

New Member
Dec 23, 2023
2
0
1
Hi,

in order to leave no trace of data on my disks, I installed Debian 12 with full disk encryption for my system disk and preboot authentication (via dropbear-initramfs).
After installing PVE8.1 I encrypted my data partition with LUKS, created a lvm and on top a lvm-thin. Structure is as follows
Code: 
root@server:~# lsblk
NAME                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                             8:0    0 111,8G  0 disk
├─sda1                          8:1    0   512M  0 part  /boot/efi
├─sda2                          8:2    0   488M  0 part  /boot
└─sda3                          8:3    0 110,8G  0 part
  └─sda3_crypt                252:0    0 110,8G  0 crypt
    ├─server--vg-root         252:1    0 109,8G  0 lvm   /
    └─server--vg-swap_1       252:2    0   980M  0 lvm   [SWAP]
sr0                            11:0    1  1024M  0 rom
nvme0n1                       259:0    0  11,6T  0 disk
└─nvme0n1p1                   259:1    0  11,6T  0 part
  └─nvme0n1p1_crypt           252:3    0  11,6T  0 crypt
    ├─daten-datengrab_tmeta   252:4    0    96M  0 lvm
    │ └─daten-datengrab-tpool 252:6    0  11,6T  0 lvm
    │   └─daten-datengrab     252:7    0  11,6T  1 lvm
    └─daten-datengrab_tdata   252:5    0  11,6T  0 lvm
      └─daten-datengrab-tpool 252:6    0  11,6T  0 lvm
        └─daten-datengrab     252:7    0  11,6T  1 lvm
As far as I tested everything works as expected. Now I am trying to figure out how to mount the data partition automatically at boot. I am fine with having the same pw for both boot and data media, therefore I just added
nvme0n1p1_crypt UUID=<UUID> none luks,discard
in /etc/crypttab and thought the OS would take the pw from the kernel keyring like explained in crytsetup manual (e.g. https://www.freedesktop.org/software/systemd/man/247/systemd-cryptsetup@.service.html), where it states
  • The kernel keyring is then checked for a suitable cached password from previous attempts.
  • Finally, the user is queried for a password, possibly multiple times.
Click to expand...
Unfortunately that doesn't seem to work, with that setup I need to enter the pw on the preboot screen (but not remotely - it has to be done on the machine itself).

I interpretated the sentence with the keyring that entering a password once suffices for another volume to mount with the same password automatically - was I mistaken? If not, how to correctly automate this mounting operation? If yes, what does that sentence actually mean?

Thanks - at least for reading -,
user973249
 
You must log in or register to reply here.
Top Bottom