My notebook runs a fully encrypted version of Debian 13 (including the root filesystem and SWAP). Now it’s time to activate a second NVMe device. This should also be encrypted, but I don’t want to have to specify the passphrase for that device every time I reboot. Instead, the key file should be located on the root partition of the first device.
Setup Steps
Preparing the Device (Repartitioning)
- The NVMe device name can change during a reboot of a Linux system. For example, what was previously /dev/nvme1n1 could now be /dev/nvme0n1, or vice versa. The lsblk -f command is useful for distinguishing between devices that have already been used and those that have just been added.
- wipefs removes old partitions/signatures for a device
sudo wipefs -a /dev/nvme1n1
/dev/nvme1n1: 8 bytes were erased at offset 0x00000200 (gpt): 45 46 49 20 50 41 52 54
/dev/nvme1n1: 8 bytes were erased at offset 0xe8e0db5e00 (gpt): 45 46 49 20 50 41 52 54
/dev/nvme1n1: 2 bytes were erased at offset 0x000001fe (PMBR): 55 aa
/dev/nvme1n1: calling ioctl to re-read partition table: Success- Although there are other tools that can manipulate partition tables, I still use fdisk to create a single large partition on the disk. The fdisk suggestions help to create a partition with the correct alignment, which prevents performance issues or error messages in the subsequent steps. The (g) command creates a new GPT. (p) prints the partition table. (n) triggers the creation of a new partition. (t) allows you to specify a partition type, and (w) makes the data persistent by writing the information to the disk.
sudo fdisk /dev/nvme1n1
Command (m for help): g
Created a new GPT disklabel (GUID: AC0EB50D-4E46-46C7-892D-BEE19E49E76F).
Command (m for help): p
Disk /dev/nvme1n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 990 EVO 1TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AC0EB50D-4E46-46C7-892D-BEE19E49E76F
Command (m for help): n
Partition number (1-128, default 1):
Partition number (1-128, default 1):
First sector (2048-1953525134, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711):
Created a new partition 1 of type 'Linux filesystem' and of size 931,5 GiB.
Command (m for help): p
Disk /dev/nvme1n1: 931,51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: Samsung SSD 990 EVO 1TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AC0EB50D-4E46-46C7-892D-BEE19E49E76F
Device Start End Sectors Size Type
/dev/nvme1n1p1 2048 1953523711 1953521664 931,5G Linux filesystem
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.Encryption with LUKS/LUKS2
- The new partition should be LUKS-encrypted. Rather than using device names such as /dev/nvme…, I would like to identify the partition by a UUID. To this end, I will generate a new ID with uuidgen to pass to cryptsetup. The passphrase for the encryption must be specified, and lsblk can be used to verify the result.
uuidgen
168b9568-0540-40b8-b939-882be97eb6bb
cryptsetup luksFormat -q --type luks --sector-size 4096 --cipher aes-xts-plain64 --key-size 256 --uuid 168b9568-0540-40b8-b939-882be97eb6bb --pbkdf argon2i /dev/nvme1n1p1
lsblk -f
...- The partition can now be opened. I chose the /dev/disk/by-uuid/… path for the device, and the device name will also later be available by the name UUID, prefixed by ‘luks-‘, as with the other partitions initially created by the Debian installer. The ls command on /dev/mapper shows that the partition is available after entering the correct passphrase.
sudo cryptsetup luksOpen --persistent --allow-discards --perf-no_write_workqueue --perf-no_read_workqueue /dev/disk/by-uuid/168b9568-0540-40b8-b939-882be97eb6bb luks-168b9568-0540-40b8-b939-882be97eb6bb
Enter passphrase for /dev/disk/by-uuid/168b9568-0540-40b8-b939-882be97eb6bb:
ls -la /dev/mapper/
...
lrwxrwxrwx 1 root root 7 24. Aug 00:56 luks-168b9568-0540-40b8-b939-882be97eb6bb -> ../dm-2
Opening/Mounting the Device
- Once a partition has been encrypted, it must be activated/opened during the boot process so that it can be used. For the root partition and SWAP of a Debian system, this is done early by GRUB, even before the OS is running. For other partitions, such as our new one, systemd will perform this task. This step must be enabled by installing the necessary package.
sudo apt install systemd-cryptsetup- Systemd also asks for a passphrase during the boot process, but I want a separate key file that systemd can automatically use to open the encrypted device.
- dd creates a key file containing random data. Access permissions for this file are restricted using the chmod command. The key is then added to the list of authorized keys that can access the device, which requires entering the initial passphrase. Finally, the status is dumped so that it can be verified.
sudo dd if=/dev/urandom of=/crypto_keyfile_home.bin bs=512 count=8
sudo chmod 600 /crypto_keyfile_home.bin
sudo cryptsetup luksAddKey /dev/nvme1n1p1 /crypto_keyfile_home.bin
sudo cryptsetup luksDump /dev/nvme1n1p1- In order for systemd to recognize the new device, the /etc/crypttab file must be updated with a new entry (in one line).
sudo vi /etc/crypttab
...
luks-168b9568-0540-40b8-b939-882be97eb6bb UUID=168b9568-0540-40b8-b939-882be97eb6bb /crypto_keyfile_home.bin luks,discard,keyscript=/bin/cat- After rebooting, the ls command should show that all three encrypted devices are ready.
ls -la /dev/mapper/
....
lrwxrwxrwx 1 root root 7 23. Aug 16:29 luks-011bd881-8ec3-4a12-91df-52e1928539fb -> ../dm-1
lrwxrwxrwx 1 root root 7 24. Aug 00:56 luks-168b9568-0540-40b8-b939-882be97eb6bb -> ../dm-2
lrwxrwxrwx 1 root root 7 23. Aug 16:29 luks-45cabb59-0bb5-4737-b6c9-6007657d7a27 -> ../dm-0- The device can now be formatted and mounted …