How to open multiple LUKS volumes with key entered in initramfs

cryptsetupdm-cryptluksmdadm

I have a Debian 7.4 (stable) based server configured to use an encrypted (RAID1 + LVM) root partition (/boot is un-encrypted regular partition) to which I installed dropbear SSH server so I can remotely enter the LUKS encryption passphrase.

In addition to the root partition/volume I have other RAID1+cryptsetup+LVM volumes that I would like to be able to open with the same passphrase. I googled and found out I can use the script /lib/cryptsetup/scripts/decrypt_keyctl to cache passphrases and open multiple volumes with the same passphrase. But how do I use this script with the passphrase entered in initramfs stage?

Best Answer

You could put the password in a file and re-use that with the --key-file parameter. Using a random keyfile instead of a plaintext passphrase in that setup may be preferable.

echo -n password > pwfile
for luks in md1 md2 md3
do
    cryptsetup luksOpen --key-file=pwfile /dev/"$luks" luks"$luks"
done

Personally I used a slightly different approach with LUKS encrypted keyfiles:

In this setup, the single passphrase unlocks a keyfile store which contains random keys for various other LUKS containers. This is particularly useful for /boot on USB setups, so /boot can't be tampered with and a hardware keylogger alone is not sufficient to get the keys for the internal disks.

Best Answer

Related Solutions

How to salvage a lvm/luks install from custom install

Why are logical volumes used with LUKS partitions

Related Question