mount multiple dm-crypt disks
 

I have encrypted all my 'archive' disks with dm-crypt. But i got a small 'problem'. Every time i reboot the server, i need to write the password for every single drive i mount. And.. it's 12 disks. Anyone now if there's any nice script/application, that i can config, so i only need to execute it when im logged in and write the password ONCE.

have googled and searched the forum, but havent found anything useful.
and no, i dont want to use a usb stick and have a key file on it.

thx in advance!

I don't understand. You always need all 12 partitions / drives? Why don't you comment them out in /etc/fstab and just mount what you need when you need it?

Well... its one key for each disks. In your case you put the same for each disks so its not the default behaviour.
A method would be to:
Early-mount an encrypted disk => you have to give its key.
In this partition (usbkey, whatever) lies the key for the 12 (or 11 disks if you don't have anyother. It can be kept as a file.
Then the second phase would decrypt the remaining partitions using this file as a key.

cryptsetup works in 2 phases for this purpose, which is pretty standard.
Try to have a look at manpages for cryptsetup, /etc/crypttab.
Also /etc/init.d/cryptdisks and /etc/init.d/cryptdisks-early.
These files are from a package called cryptsetup which is a higher application to handle this easier.

Ah what I say probably only works for LUKS encryption.

An other example
# Encrypted luks disk with a openssl-encrypted keyfile, replace with USB Stick
#cdisk4 /dev/hda2 /mnt/hda3/keyfile luks,ssl

cdisk4 will be decrypted using /mnt/hda3/keyfile.
/mnt/hda3/keyfile is the encrypted key file. You provide the password for decoding the key file only. /mnt/hda3 can be your /root or whatever, it just has to be mounted before dm-crypt tries to mount the 12 partitions.

Hope its more or less clear :)

thanks nx5000! that was a really good idea :)
only one 'problem'. if we say i do like you said, the decrypt key will be unprotected when that drive is mounted. I thought about a simple script kinda (im not good enough to write one myself), i execute it, write the password and then it unlocks and mount all disks. Like saving the password temporary under the process in cache while unlocking disks. Anyways ill use your proposal, if nobody got an better idea. Thanks again :)


cause other people than me browse files from it, and i dont wanna give em ssh access and decrypt password :)

You're welcome !
For your question, re-read again ;)

#Encrypted luks disk with a openssl-encrypted keyfile, replace with USB Stick

The key is encrypted (and put on an un-encrypted partition eg /root otherwise its a pain and redundant)
/root/keyfile

To decrypt it, you will have to give the open-ssl password.

When this key is decoded, it will be used for decrypting the 12 partitions.

This "method" is used in some companies that need a high level of security:
They have an encrypted key (with a _very_ strong algorithm) on a usb stick (the stick is only used for this).
They are prompted for a password for decrypting the key and this key is used to reach the company by VPN-DSL.

Have fun but don't loose the password ;)

edit:
actually you would need to also have an encrypted swap otherwise it may leak. Depends on your level of paranoia and if the swap is already mounted (probably check in cryptsetup). Then put the machine in a bunker, 300 feets under the ground :)

thanks again :)