I already have a full disk encryption setup and functioning perfectly with my xubuntu 17.10. Now i have gotten myself a second harddrive, and i wish to enable a full disk encryption with it.
In the perfect world both drives would be mounted at boot time.
I have managed to set everything up. I have done several things, some of which are documented on the internet quite well, while others ... not quite as well. Here i will describe what i did, in hopes that it will be useful to others.
Keep in mind that almost every command here needs administrator privileges, sudo -i is your friend.
First of all i needed to create the empty partition table and a single partition that took the entire drive, the partition needed to be without any filesystem. I did this with GParted, but any other tool would work as well.
Then i needed to make that partition encrypted:
cryptsetup --iter-time 5000 --use-random luksFormat --type luks2 /dev/sdb1
cryptsetup open /dev/sdb1 large_crypt
"large" in this case is just what i have decided to name that particular drive.
After that comes putting LVM on top of that encrypted partition:
pvcreate /dev/mapper/large_crypt
vgcreate largevg /dev/mapper/largevg
Now is the time to create logical volumes inside the created volume group (here largevg), i wanted to have 20G swap and the rest as ext4.
vgdisplay --units B
This gives the sizes of virtual groups in bytes. I took the note of the one i have created and subtracted 20G from it manually
The following commands were executed from /dev/mapper/ so that i wouldn't have to write the path all the time
lvcreate -L 1980393601024B -n work largevg
mkfs.ext4 largevg-work
lvcreate -l 100%FREE -n swap largevg
mkswap largevg-swap
In order to mount everything at boot, i did a well documented trick:
dd if=/dev/random of=/root/.large-keyfile bs=1024 count=4
chmod 0400 /root/.large-keyfile
cryptsetup luksAddKey /dev/sdb1 /root/.large-keyfile
Finally i need to actually ensure that everything gets mounted at the boot time:
blkid
Then take a note of the block device partition UUID (/dev/sdb1 in my case). This will go into /etc/crypttab as so:
large_crypt UUID=[whatever uuid of sdb1 was] /root/.large-keyfile luks,discard
And then added this into /etc/fstab:
/dev/mapper/largevg-work /some/path ext4 errors=remount-ro 0 2
/dev/mapper/largevg-swap none swap sw 0 0
Just in case i did:
update-initramfs -u
Now everything works almost perfectly. The only issue is that for whatever reason XUbuntu thinks that the drive is external and puts the icon on the desktop as well as tries to allow me to dismount it (which i then cannot do), however, it's a minor nuisance, which i'll fix later.