Add an additional LUKS volume to be opened at boot time to my 24.10 installation

Ubuntu Version: 24.10

Desktop Environment (if applicable): GNOME (Ubuntu default)

Problem Description:
I have a notebook running Ubuntu 24.10 and have set-up an ecnrypted LUKS partitition with LVM on top using the graphical installer. The LUKS Volume gets unlocked at boot time with a password using the kernel keyring in the background.
Now I’ve aquired a second nvme ssd that I want to add to the laptop and I want to create and additional LUKS Volume on it that should also be unlocked at boot time using the same method - kernel keyring.

To be quite frank: I’ve got linux (debian) experience since 1996, Ubuntu experience since 2004, I’m pretty confident with LUKS itself - but my “conventional” methods using scripts to implement the second LUKS Volume with a derived key from the first one simply dont work here and currently I don’t find ANY helpfull wiki articles as to HOW to deal with LUKS volumes using the kernel keyring.

Relevant System Information:
Lenovo Thinkpad E16 Gen2 (Intel) with 64 GB RAM

What I’ve Tried:
I’m quite frustrated because “googling” information for m my projects is something that I regularly do, I’m an 42 years old ADHD driven autodidact with high reading speed and I’ve always succeeded gathering all information & knowledge by myself.

But THIS subject drives me crazy as there is virtually NO documentation available how the LUKS setup is done in current Ubuntu versions.

I’ve searched through the official documentation, through the german and english wikis - but nothing, only old and deprecated information that doesn’t work with the current LUKS implementation in Ubuntu 24.10. And I’ve still not found a good starting point for reverse engineering to figure it out by myself.

To create an additional LUKS volume that should be unlocked at boot time, please try this.

Format the new partition: Use a tool like fdisk or parted to create a new partition on your disk. Then, format it as a LUKS volume using the cryptsetup command. For example:

cryptsetup luksFormat /dev/sdXn

Replace /dev/sdXn with the appropriate device identifier for your new partition.

Open the LUKS volume: Once the partition is formatted, open it to mount it:

cryptsetup luksOpen /dev/sdXn myluksvolume

Create a filesystem on the unlocked LUKS volume:

Edit /etc/crypttab: Add an entry for your new LUKS volume in the /etc/crypttab file to ensure it is unlocked at boot time. The entry should look something like this:

myluksvolume UUID=your-uuid /path/to/keyfile luks

Replace UUID=your-uuid with the UUID of your LUKS volume and /path/to/keyfile with the path to your keyfile if you are using one. If you are using a passphrase, you can omit the keyfile path.

Edit /etc/fstab: Add an entry to /etc/fstab to mount the LUKS volume at boot time. For example:

/dev/mapper/myluksvolume /mnt/myluksvolume ext4 defaults 0 2

Replace /mnt/myluksvolume with the mount point you want to use.

After editing /etc/crypttab and /etc/fstab, regenerate the initramfs to include the new LUKS volume:

update-initramfs -u

Now your additional LUKS volume should/will be unlocked and mounted at boot time… Good Luck

I don’t mount mine at boot, but looks like this:

sudo blkid /dev/sda1
/dev/sda1: UUID="cbf31689-7964-4f5d-a078-f3ec565f5522" TYPE="crypto_LUKS" PARTUUID="bcaf7a66-01"

EDIT: If a GUI tool is needed, then Gnome Disk utility does a good job at creating a LUK’s encrypted drive.

And I still don’t need/want it unlocked at boot.

easiest way to do it is with the disks app (gnome-disk-tool). Find the partition you want to decrypt at boot and find the button to edit encryption options. (Enter any key and it will save a plaintext keyfile for you, with root-only permissions).

You can also edit mount options for the decrypted volume. All this spares having to edit fstab and crypttab and prevents errors.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.