I am planning on reinstalling to new drive(s) the next time my distro releases a new version and i am interested in drive encryption, so i was wondering

if i have root and home on two separate SSDs and they are encrypted with the same password, would i have to enter the password twice to boot? and would there be any other downsides of an encrypted two drive setup?

is there anything i should take into account when using or setting up drive encryption? any best practices for drive encryption that i should know?

thanks in advance

  • hschen@sopuli.xyz
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    One thing i do know is after finishing everything, you wanna backup your LUKS headers incase something gets corrupted so you wont lose your data, make sure its safe outside of the encrypted drive somewhere. “sudo cryptsetup luksHeaderBackup /dev/drive_name --header-backup-file /destination/”

    Don’t know any other downsides, but you will require entering your password 2 times if i’m not mistaken. Now if you wanna try to avoid entering your password twice. This is a bit more complex but not super hard to try, depends on how technical you are and what distro you use, ArchWiki claims if you use the sd-encrypt hook it will cache your first password and use it for the other drive.

    https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_systemd-cryptsetup-generator

    https://wiki.archlinux.org/title/Mkinitcpio#Common_hooks

    I believe if you do swap to the sd-encrypt hook you gotta swap all the other hooks over to the systemd ones too but not 100% sure, but that’s what i ended up doing. Also would need to use the “rd.luks” boot options instead of the “cryptdevice=”

    • BluePhantom@lemmy.worldOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      where would you recommend backing up the LUKS headers to? an external HDD? a USB flash drive? or something else?

      and thanks for the advice and links, i will look further into it using a VM later

      • hschen@sopuli.xyz
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Wherever you want really, its only incase the luks headers corrupt which is probably quite rare.

        Also probably way easier to do what the other person suggested with the keyfile. My brain kinda blanked out on that possibility

    • Tiuku@sopuli.xyz
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Yes it’s pretty easy with keyfile and /etc/crypttab.

      One practical recommendation: As LUKS headers can hold several keys, also add a traditional passphrase in addition to the keyfile. With this it’s far easier to decrypt the drive from commandline if you ever need to rescue the system from a USB.