Auto decrypt multiple LUKS Devices with Mandos

Question

I played around with Mandos to automatically open an encrypted root device. I wanted to setup an encrypted btrfs raid 1 (sda1 and sdb1: LUKS). The first device is decrypted correctlly, but the second will noch be opened. Is there a way to do this?

Answer 1

The solution is relative simple:

Instead of adding your disks to /etc/crypttab, add them directly to /etc/initramfs-tools/conf.d/cryptroot and don't forget the keyscript part (keyscript=/lib/mandos/plugin-runner).

/etc/initramfs-tools/conf.d/cryptroot: target=sda2_crypt,source=UUID=0f47884b-fb02-478e-b4dd-c594cf1cbbf1,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner target=sdb2_crypt,source=UUID=65f16e28-5b74-4b1f-9f81-01729244ac2c,key=none,rootdev,discard,keyscript=/lib/mandos/plugin-runner

To be sure the complete cryptsetup stack is compiled correctly into the initramfs, add a dummy device to /etc/crypttab. Take care to add noauto, otherwise it will try to unlock the device on startup and will fail.

/etc/crypttab: dummy_device UUID=087963da-63bb-439b-bb5a-15e712d02a29 none noauto,luks,discard

Answer 2

As of Debian Stretch, it just works (tm). Both devices should be listed in /etc/crypttab and the btrfs raid1 should be setup. Then install mandos. Confirmed working on Debian Stretch 9.5.

Answer 3

I would suggest that you on the root file system (I would suggest in /etc/keys) have a file containing the password to any other disks, and enter that file name in the third field in /etc/crypttab.