Best way to add second drive to a FDE install
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Best way to add second drive to a FDE install
I have LMDE installed with full disk encryption. Now I've added a second drive and I want to use it. What is the best way to do this so that the drive is encrypted and automatically unlocked and mounts when the main drive does? The new drive will be used for bulk media storage only.
Re: Best way to add second drive to a FDE install
You can partition and format the second drive with the Disks program, which will let you also encrypt the partition. If you use the same passphrase as on your first drive you can then use the /etc/crypttab file to automatically unlock the second drive during boot.
After partitioning & formatting the second drive run the command
On boot this will unlock the 2nd drive automatically if the passphrase is the same and the 1st drive. It will map the unlocked partition to /dev/mapper/disk2 -- you can replace that disk2 name with something else if you want.
Next edit /etc/fstab with
Assuming you formatted it as ext4. The mount point in above is set to /disk2. You can also use /home/yourusername/Storage or wherever you prefer to mount it. Don't forget to create the mount point directory and set yourself as owner.
If the second drive is a SSD and you want to keep it running at optimal performance you must enable discard (TRIM). For that add
---
If you want to use a different passphrase for the second drive you can achieve the same by using a keyfile.
After partitioning & formatting the second drive run the command
lsblk -o +UUID
to find the UUID of the crypt partition on the second drive. Then edit the /etc/crypttab file with xed admin:///etc/crypttab
and append a line like this with the UUID value in place of replacethistext:
Code: Select all
disk2 UUID=replacethistext none luks,keyscript=decrypt_keyctl
Next edit /etc/fstab with
xed admin:///etc/fstab
and add a line like this to mount the disk2:
Code: Select all
/dev/mapper/disk2 /disk2 ext4 rw,relatime 0 2
If the second drive is a SSD and you want to keep it running at optimal performance you must enable discard (TRIM). For that add
,discard
to the options in crypttab (luks,discard,keyscript=decrypt_keyctl). After reboot check with lsblk --discard
that the crypt partitions have discard enabled. fstrim runs automatically once a week on SSDs that have discard enabled.---
If you want to use a different passphrase for the second drive you can achieve the same by using a keyfile.
Re: Best way to add second drive to a FDE install
I thought the crypttab option keyscript was ignored by systemd. It certainly doesn't work in Mint 21.3.xenopeek wrote: ⤴Wed Feb 21, 2024 2:43 pm After partitioning & formatting the second drive run the commandlsblk -o +UUID
to find the UUID of the crypt partition on the second drive. Then edit the /etc/crypttab file withxed admin:///etc/crypttab
and append a line like this with the UUID value in place of replacethistext:Code: Select all
disk2 UUID=replacethistext none luks,keyscript=decrypt_keyctl
jdm
Re: Best way to add second drive to a FDE install
I guess what's missing is running these two after making the changes:
Code: Select all
sudo update-initramfs
sudo update-grub
Re: Best way to add second drive to a FDE install
I am installing on an SSD. Looking at my current install, nothing in fstab has discard while lvmlmde in cryttab shows discard. lsblk --discard shows the same for all partitions.
Does this mean that nothing is being trimmed?
Does this mean that nothing is being trimmed?
Re: Best way to add second drive to a FDE install
Sorry, mixup on my part -- do not add discard to /etc/fstab. That is for continuous trim but we want the (recommended) weekly trim, which just needs the discard option added to /etc/crypttab for non-root partitions.
Trimming can also be enabled by running cryptsetup open --allow-discards --persistent once for the crypt device. You can check with cryptsetup luksDump for the crypt device and see if allow-discards is in the Flags.
In the lsblk --discard output important are the DISC-GRAN and DISC-MAX columns, showing the discard granularity and maximum bytes. Non-zero values here indicate discard is enabled.
Trimming can also be enabled by running cryptsetup open --allow-discards --persistent once for the crypt device. You can check with cryptsetup luksDump for the crypt device and see if allow-discards is in the Flags.
In the lsblk --discard output important are the DISC-GRAN and DISC-MAX columns, showing the discard granularity and maximum bytes. Non-zero values here indicate discard is enabled.
journalctl -u fstrim
would show you the logs.Re: Best way to add second drive to a FDE install
Okay, I'll check again once I boot LMDE back up. I had to switch back to my original install for a bit.
Re: Best way to add second drive to a FDE install
Finally got a chance to set this up. It worked well, thanks. The only recommendation I have for anyone is to make sure your crypt setup is correctly working before editing your fstab. Otherwise you'll have to init=/bin/bash.