Best way to add second drive to a FDE install

[CJRoss]

I have LMDE installed with full disk encryption. Now I've added a second drive and I want to use it. What is the best way to do this so that the drive is encrypted and automatically unlocked and mounts when the main drive does? The new drive will be used for bulk media storage only.

[xenopeek]

You can partition and format the second drive with the Disks program, which will let you also encrypt the partition. If you use the same passphrase as on your first drive you can then use the /etc/crypttab file to automatically unlock the second drive during boot.

After partitioning & formatting the second drive run the command lsblk -o +UUID to find the UUID of the crypt partition on the second drive. Then edit the /etc/crypttab file with xed admin:///etc/crypttab and append a line like this with the UUID value in place of replacethistext:

Code: Select all

disk2	UUID=replacethistext	none	luks,keyscript=decrypt_keyctl

On boot this will unlock the 2nd drive automatically if the passphrase is the same and the 1st drive. It will map the unlocked partition to /dev/mapper/disk2 -- you can replace that disk2 name with something else if you want.

Next edit /etc/fstab with xed admin:///etc/fstab and add a line like this to mount the disk2:

Code: Select all

/dev/mapper/disk2	/disk2    	ext4      	rw,relatime	0 2

Assuming you formatted it as ext4. The mount point in above is set to /disk2. You can also use /home/yourusername/Storage or wherever you prefer to mount it. Don't forget to create the mount point directory and set yourself as owner.

If the second drive is a SSD and you want to keep it running at optimal performance you must enable discard (TRIM). For that add ,discard to the options in crypttab (luks,discard,keyscript=decrypt_keyctl). After reboot check with lsblk --discard that the crypt partitions have discard enabled. fstrim runs automatically once a week on SSDs that have discard enabled.

---
If you want to use a different passphrase for the second drive you can achieve the same by using a keyfile.

[jdm]

After partitioning & formatting the second drive run the command lsblk -o +UUID to find the UUID of the crypt partition on the second drive. Then edit the /etc/crypttab file with xed admin:///etc/crypttab and append a line like this with the UUID value in place of replacethistext:

Code: Select all

disk2	UUID=replacethistext	none	luks,keyscript=decrypt_keyctl

I thought the crypttab option keyscript was ignored by systemd. It certainly doesn't work in Mint 21.3.

jdm

[xenopeek]

I guess what's missing is running these two after making the changes:

Code: Select all

sudo update-initramfs
sudo update-grub 

[CJRoss]

I am installing on an SSD. Looking at my current install, nothing in fstab has discard while lvmlmde in cryttab shows discard. lsblk --discard shows the same for all partitions.

Does this mean that nothing is being trimmed?

[xenopeek]

Sorry, mixup on my part -- do not add discard to /etc/fstab. That is for continuous trim but we want the (recommended) weekly trim, which just needs the discard option added to /etc/crypttab for non-root partitions.

Trimming can also be enabled by running cryptsetup open --allow-discards --persistent once for the crypt device. You can check with cryptsetup luksDump for the crypt device and see if allow-discards is in the Flags.

In the lsblk --discard output important are the DISC-GRAN and DISC-MAX columns, showing the discard granularity and maximum bytes. Non-zero values here indicate discard is enabled.

journalctl -u fstrim would show you the logs.

[CJRoss]

Okay, I'll check again once I boot LMDE back up. I had to switch back to my original install for a bit.

[CJRoss]

Finally got a chance to set this up. It worked well, thanks. The only recommendation I have for anyone is to make sure your crypt setup is correctly working before editing your fstab. Otherwise you'll have to init=/bin/bash.