Use secondary encrypted hard drive
 

Hi everyone!
Yesterday I bought an SSD to give some fresh air to my old laptop, so now I have a spare HDD to use. Since my laptop has two SATA slots, I want to double it's memory using both drives on it.

The main one, the SSD, is encrypted with LUKS+LVM as described in the official docs. I want to encrypt the HDD, create one big partition on it (this disk will contain only "static", seldom-accessed files, like photos, videos, music, backups and archives, with folders symlinked to my /home on the other drive) and mount it at boot WITHOUT asking for another password.

The optimal solution could be encrypting the drive with a password, save that password on a file in the encrypted SSD (which is mounted first), and mount the HDD reading the encryption password from that file on the SSD, which at this point is already accessible.
A less optimal solution could be using a keyfile, but with this approach I couldn't be able to mount the HDD without the SSD...

So, how can I do that?
And also, is the single partition with simlinked folders a good solution? Do you have better suggestions? I'm open minded!

Thanks in advance!

Hi!

You can achieve this by using a keyfile. I used this tutorial when I did this the first time:
https://tutorials.technology/tutoria...to-fedora.html

Its for fedora but works just as well on slackware.

Kr
Melke

It's good howto. You need to ask your self did you really want it. I read on some sites and one of the problems that ppl point is: If bad sector appear after a while on the sectors where is your LUKS technical data and keys, you will unable to mount your partitions ever, but don't know if that is the true.

When your disk develops bad sectors there's a risk of data loss always, not just with a LUKS encrypted disk. A LUKS disk which you can no longer decrypt is 100% data loss at once of course, but if you do not have a backup strategy and hope that your hard disk will live forever, you will eventually have a big problem.
The stuff you can not afford to lose, make sure you back it up regularly.

Yes,
you just point with a little more words what I trying to say. It's will lose all data not only one picture.

In your backup strategy, save LUKS headers. That should help to not lose all LUKS data.

I did it using /etc/crypttab to decrypt the drive and /etc/fstab to mount the mapped partition.

Security-wise, the LUKS volume is encrypted with a password stored plain-text in the /etc/crypttab file, which resides in my primary encrypted drive. This way I can mount the secondary drive wherever I need, and the key is still safe when the primary drive is not mounted. Of course I must assume the root drive is not compromised...

As for backup, all the data I care for has at least two replicas across my "hot" drives and one extra in a "cold" drive updated every 3 months. Plus, I'm looking forward to an online backup service (like Backblaze B2) to encrypt and upload my data with rclone.

I think my setup works fine for my kind of situation...

Yep, you definitely want to backup the LUKS headers, check out "luksHeaderBackup" in the cryptsetup man page. If the header becomes corrupted (without a backup) then all encrypted data is irretrievable.