Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]question on using one luks key for 2 drives
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
dkuchay
n00b
n00b


Joined: 01 Apr 2019
Posts: 7
Location: Schenectady, NY

PostPosted: Mon Apr 01, 2019 5:07 pm    Post subject: [SOLVED]question on using one luks key for 2 drives Reply with quote

Hello All,

First post. Long time Slackware and recent Arch user. Been admiring Gentoo for a decade. Recent injury caused me to obtain the time to install properly.

Read as much as I can hold in my head from installation guide and found Sakiki's wiki guide to closest follow what my installation goals are. I have a laptop with 2 hard drives and I am setting up a dual boot with windows 10. Windows has been configured to occupy half of the NVME as well as half of the data drive. I want to do the efi-stub route and the security configuration makes me admire. USB options attract as well.

Currently I have a usb stick in with a luks key installed that will unlock the luks container on the NVME that is currently filling with random data.

My question is can I make a pv on my data drive, say

Code:
pvcreate /dev/sda2

and
Code:
vgextend vg1 /dev/sda2


and use the same key on the usb stick to unlock BOTH volumes?

I want to think that software may be needed for this. Debian and 'buntu both use a package called decrypt_keyctl for this function.

Forgive me if I missed this in the docs. Not very familiar with Gentoo and want to avoid mistakes if possible.

Thank you in advance
dkuchay


Last edited by dkuchay on Mon Apr 01, 2019 5:50 pm; edited 2 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43192
Location: 56N 3W

PostPosted: Mon Apr 01, 2019 5:29 pm    Post subject: Reply with quote

dkuchay,

Welcome to Gentoo.

You need to think long and hard about the attack vectors you want to defend against before you deploy any security measures.
As well as attack vectors, think about perpetrators and the resources they can deploy. This xkcd illustrates the point.

Quote:
NVME that is currently filling with random data
Start with that.
NVME is a fast to access solid state device. Its only fast to write if it has pre-erased blocks to write in.
Filling it with random data will kill the write speed as you will need to wait for an erase cycle.
There is no such write speed penalty for rotating rust.

Only you can decide if a luks volume filled with random data is really required as a piece in your security model and if it is, is it worth the write speed penalty of putting it on SSD.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
dkuchay
n00b
n00b


Joined: 01 Apr 2019
Posts: 7
Location: Schenectady, NY

PostPosted: Mon Apr 01, 2019 5:45 pm    Post subject: Reply with quote

Appreciate your call to regroup on my approach.

Will not be disappointed with this taking slightly less time either. Very logical. Ill back up a few steps and implement a clean F2FS.

Thank you NeddySeagoon!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13845

PostPosted: Tue Apr 02, 2019 1:24 am    Post subject: Reply with quote

You can do this in several ways, some more convenient or robust than others. The simplest would be that each drive contains a LUKS container. The containers may or may not, at your preference, use the same passphrase / passfile to unlock them. Once unlocked, each LUKS container would expose a virtual block device to which you write the plaintext you wish to protect. For your scenario, put the physical volumes on these LUKS containers. For example:
Code:

# /dev/disk/by-example-path/disk1 and disk2 are your physical devices,
# often /dev/sda or /dev/nvme
cryptsetup luksFormat /dev/disk/by-example-path/disk1
cryptsetup luksFormat /dev/disk/by-example-path/disk2
# crypt-disk1, crypt-disk2 become the virtual block devices exposing the
# inside of the LUKS container
cryptsetup luksOpen /dev/disk/by-example-path/disk1 crypt-disk1
cryptsetup luksOpen /dev/disk/by-example-path/disk2 crypt-disk2
# Create your physical volumes on crypt-disk1 so that LUKS protects LVM
pvcreate /dev/mapper/crypt-disk1 /dev/mapper/crypt-disk2
vgcreate vg-crypt-lvm /dev/mapper/crypt-disk1 /dev/mapper/crypt-disk2
# Use lvcreate to create appropriate logical volumes in the group
Beware that constructing a volume group out of multiple drives may in some cases mean that loss of one drive breaks your ability to access any data on the surviving drive. Make good backups.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum