On Sun, Mar 8, 2015 at 5:36 AM, Tim lists@kiuni.de wrote:
I'm sorry, but grep -i crypt /var/log/anaconda/anaconda.program.log returns nothing. But I have got an entry in /etc/crypttab.
OK ignore what I wrote about crypttab and pointing to a file. Robert's message is essentially correct.
It looks like the cryptesetup command gets stripped out of the anaconda.program.log, probably because it contains the user passphrase in it. This is the basic command used in RHEL 7 documentation [1] which you can adapt for either a whole disk or partition thereof rather than an LV. cryptsetup --verbose --verify-passphrase luksFormat Just use the same passphrase you're using for the other drive. Note that the actual key is different for the two LUKS volumes, so you should back up both of those LUKS headers (with cryptsetup), one isn't enough even though the passphrases are the same. (The DEK used to actually encrypt your data is randomly chosen)
You'll need to make the following modifications:
/etc/fstab mount options for LUKS encrypted volumes includes x-systemd.device-timeout=0 which means it'll wait indefinitely for this fs volume to appear.
/etc/crypttab just mimic what's already there for the existing LUKS volume, but of course use the correct UUIDs supplied by blkid.
/etc/default/grub needs an additional rd.luks.uuid= to make systemd aware to expect it early boot, for example [2]. If you look in the existing /etc/default/grub you'll see something like: GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-bbf5ebbd-d3f8-425e-9fc4-c48abd23bd8e.... So just add, anywhere in there, another rd.luks.uuid=luks-<uuid> including the uuid for the new luks volume. And then: grub2-mkconfig -o /boot/grub2/grub.cfg ##assumes a BIOS system which then creates a new grub.cfg with that addition.
That should be it. Definitely don't confuse UUIDs. The LUKS volume has a UUID, and the filesystem on that LUKS volume has its own UUID. They're not the same thing.
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
[2] [ 0.471569] localhost.localdomain systemd[1]: Expecting device dev-disk-by\x2duuid-cd8dda17\x2d82d2\x2d48d0\x2da1b4\x2d2e68c16a7cc4.device... [ 0.471584] localhost.localdomain systemd[1]: Expecting device dev-mapper-luks\x2dcd8dda17\x2d82d2\x2d48d0\x2da1b4\x2d2e68c16a7cc4.device... [ 3.255684] localhost.localdomain systemd[1]: Starting Cryptography Setup for luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4... [ 9.309257] localhost.localdomain systemd-cryptsetup[264]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4. [ 12.024581] localhost.localdomain systemd[1]: Found device /dev/mapper/luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4. [ 12.025339] localhost.localdomain systemd[1]: Started Cryptography Setup for luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4. [ 12.226048] localhost.localdomain kernel: btrfs: device label centos devid 1 transid 39 /dev/mapper/luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4 [ 13.701094] localhost.localdomain systemd[1]: Found device /dev/mapper/luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4. [ 13.727673] localhost.localdomain kernel: btrfs: device label centos devid 1 transid 39 /dev/mapper/luks-cd8dda17-82d2-48d0-a1b4-2e68c16a7cc4