I have a Debian 7.4 (stable) based server configured to use an encrypted (RAID1 + LVM) root partition (/boot is un-encrypted regular partition) to which I installed dropbear SSH server so I can remotely enter the LUKS encryption passphrase.
In addition to the root partition/volume I have other RAID1+cryptsetup+LVM volumes that I would like to be able to open with the same passphrase. I googled and found out I can use the script /lib/cryptsetup/scripts/decrypt_keyctl
to cache passphrases and open multiple volumes with the same passphrase. But how do I use this script with the passphrase entered in initramfs stage?
Best Answer
You could put the password in a file and re-use that with the
--key-file
parameter. Using a random keyfile instead of a plaintext passphrase in that setup may be preferable.Personally I used a slightly different approach with LUKS encrypted keyfiles:
In this setup, the single passphrase unlocks a keyfile store which contains random keys for various other LUKS containers. This is particularly useful for
/boot
on USB setups, so/boot
can't be tampered with and a hardware keylogger alone is not sufficient to get the keys for the internal disks.