Mounting a second encrypted hard drive automatically under Debian or Ubuntu

georam profile image georam ・2 min read

It´s a good pratice to encrypt all your hard drives to keep good security for your data at rest. Either you store sensitive private or corporate data, to protect it from theft or that you do not have to delete ot when you remove and sell a drive.

When you run full disk encryption under Debian with luks and your want to add a second drive to your machine that get´s automatically decrypted when you boot and provide your startup credentials you can do this with following steps:

  • install your second hard drive in your machine
  • get the device name parted -l e.g. /dev/sdd
  • create a new gpt partition table parted /dev/sdd mklabel gpt
  • create a new partition on the disk parted -a opt /dev/sdd mkpart primary ext4 0% 100%

Now you should see your new partition with `parted -l´

The next steps encrypts our new partition with a passphrase and opens it as mapper device under /dev/mapper and creates an ext4 filesystem:

  • encrypt the partition: cryptsetup --iter-time 5000 --use-random luksFormat --type luks2 /dev/sdd1
  • open it: cryptsetup open /dev/sdd1 local_storage
  • create ext4 filesystem: mkfs.ext4 /dev/mapper/local_storage

To decrypt the disk autmatically at startup we generate a keyfile, add it to the keystore of the newly encrypted partition and store the keyfile on our root harddrive.

  • create a keyfile on your os hard drive: dd if=/dev/random of=/root/.local_storage-keyfile bs=1024 count=4
  • change the permission so that only the root user can read it: chmod 0400 /root/.local_storage-keyfile
  • Add the key to the encrypted partition: cryptsetup luksAddKey /dev/sdd1 /root/.local_storage-keyfile

An entry in /etc/crypttab will do the magic and does the decryption automatically with our keyfile:

  • get your disk uuid with blkid
  • add a new line to /etc/crypttab with your chosen device name: local_storage UUID=<your UUID from blkid> /root/.local_storage-keyfile luks,discard

You can also add an aoutmount with an entry in /etc/fstab with the device name /dev/mapper/local_storage if you wish.

When you now reboot your second harddrive now get decrypted automatically and if you wish mounted in your filesystem via /etc/fstab.

Posted on by:


Editor guide