Ubuntu – Full Disk Encryption with LUKS: auto mount second volume

11.10encryptionluks

TrueCrypt on Windows can auto mount volumes that use the same passphrase as the boot volume. You enter the passphrase only once. Is there a way to do this with LUKS?

Background: I'm currently migrating from Windows to Ubuntu. I set up Ubuntu 11.10 with LUKS full disk encryption. I use a second hard drive that is still a TrueCrypt NTFS volume. I want to change that.

Best Answer

You can use the decrypt_keyctl keyscript to securely cache the passphrase when mounting multiple encrypted volumes. The README describes how to do this on boot; there are some caveats with workarounds described in bug 1022815.

This should allow auto mounting of multiple encrypted volumes at boot with only one passphrase prompt. The same keyctl mechanism could be used to arrange the automounting of other volumes after boot time, but I'm not aware of a full solution.

Related Solutions

Ubuntu – How to mount LUKS encrypted drive of old system with same VGname

The new system was relatively low value (some setup effort, but nothing hard to replace), so I decided to mess with that instead.

I booted from USB (using the mint install system), and did the following (where `sdb5 is the encrypted partition that houses the lvm data for my new system)

cryptsetup luksOpen /dev/sdb5 newdisk
vgimportclone /dev/mapper/newdisk
pvscan
vgscan
lvscan

I'm not sure that those scans are actually necessary, but i did them, and then I looked around with pvdisplay, vgdisplay and lvdisplay. All looks fine.

I tried re-booting at this point, which didn't work. Grub couldn't find the disk, and complained with a message like this one.

I booted back into the installer, and fixed up the references to /dev/mapper/mint--vg-root and /dev/mapper/mint--vg-swap in /etc/grub/grub.cfg and /etc/fstab.

The system boots, and I can now mount the old drive using the GUI tools (nemo), albeit it's a tad inelegant, with an error displayed from the attempt to mount the encrypted partition, after which the unecrypted one is available to mount.

So, it seems OK. I've greped for mint--vg in /etc and /boot, and found nothing else to fix up. I'll add more info here if I come across anything else that needs fixing up.

Ubuntu – LUKS Encryption of NTFS Partition

Let me answer your questions out of order, first explaining why encrypting your NTFS partition with LUKS is not a good idea.

First, how does LUKS work?

LUKS can be used to encrypt a file (a file container), a partition, or an entire disk. If you let the installer encrypt everything for you, what actually happens is that two partitions are created, a boot partition, and a LUKS encrypted partition that contains the root directories and all of it's subdirectories except for /boot and it's subdirectories. If you use UEFI, there will be a third EFI partition as well. This means you won't be given an option to create the NTFS partition that you want. This inevitably means you will need to use manual partitioning. This is an involved process and is not exactly as straightforward as you might think. I have written two answers elsewhere about LUKS with manual partitioning (with LVM and without LVM). In your case, would not want to put your NTFS partition inside any LVM partitions you might create since Windows would not be able to access the NTFS partition inside an LVM Logical Volume.
To complicate matters further, Windows cannot natively decrypt a LUKS partition, so ultimately, you would have to install another software like LibreCrypt, but as you can see from the comments in that linked answer, LibreCrypt appears to have been abandoned, so that's probably not a good option. Therefore, while it is fine to encrypt your Linux installation with LUKS it is probably not wise to use LUKS to encrypt your NTFS partition that will be shared between the Linux and Windows systems.

What might be a better approach?

The question this leaves us with is how can I encrypt a partition such that both Linux and Windows will be able to decrypt it to access the contained NTFS partition? Once upon a time, I would have recommended TrueCrypt. Of course development on TrueCrypt came to an abrupt halt. So that is no longer an option. Once discontinued, a fork was created known as VeraCrypt and is still maintained. VeraCrypt can be installed on both Windows and Linux, enabling access to any given VeraCrypt encrypted partition from both OSs. Being opensource, the code is available for public review. VeraCrypt may be your best option.
I doubt that VeraCrypt can be used to encrypt your entire Linux system, but I've never tried, so I won't say it's impossible. If I were attempting to set up a dual-boot system as you have described, here's how I would probably go about it...
Install Ubuntu using manual partitioning as I describe here, but create the following physical partitions on your existing disk.

partition 1: EFI (only if you're using UEFI)
partition 2: /boot
partition 3: LVM (which contains all of your other Linux-only partitions)
partition 4: Empty partition -- format doesn't matter -- reserved for encryption with VeraCrypt (in its decrypted state, this will house your NTFS partition)

After you have installed Linux, you can install VeraCrypt and encrypt your last partition with VeraCrypt, choosing NTFS as the contained file system.

I'm not going to claim that this process will be easy. If you attempt this, you may run into some frustrating roadblocks at times, but this is probably the easiest way to accomplish what you want to accomplish with existing encryption technologies that are currently maintained as I write this answer.