path: root/content/posts/adding-a-second-encrypted-drive-to-fedora/index.org

#+TITLE: Adding a Second Encrypted Drive to Fedora
#+DATE: 2024-01-14T00:20:01-05:00
#+DRAFT: false
#+DESCRIPTION:
#+TAGS[]: fedora, encryption, storage
#+KEYWORDS[]: fedora, encryption, storage
#+SLUG:
#+SUMMARY:

#+ATTR_HTML: :title Fedora with two hard drives
#+ATTR_HTML: :alt The Fedora logo one hard drive on either side
[[file:cover.png]]

This post will cover creating a second encrypted drive on Fedora that
automatically decrypts on boot and mounts to a set location.

I had finally run out of room on my SSD. I went to the store to buy
another so I could increase the amount of storage space in my PC. I
got home and installed it. Then I thought.

My main drive in encrypted and setup by the Fedora installer, so my
second should be too right? It only makes sense. Why have some data
encrypted and the rest out in the open.

When setting up the second drive, we're going to try to closely copy
what Fedora does by default when it creates an encrypted drive. It
also gives us a lot of flexibility as you'll see soon.

What we're going to setup is called a LVM-on-LUKS configuration. LUKS
is the Linux Unified Key Setup, the standard way Linux installations
encrypt drives. LVM is the Linux Logical Volume Manager. This lets us
create logical "devices" that we can place on top of the encrypted
drive and partition as we please, without having to re-partition the
hardware. By placing LVM on top of LUKS, our drive will just look like
a single encrypted partition from the outside, but once unlocked, can
contain many partitions. Even if we only want to create a single
partition right now, this is a one-time setup that gives us the
flexibility to partition the drive as we like in the future without
having to setup the encryption again.

To start the new SSD is completely blank, so we're going to have to
give it a GPT partition table. This can be done in the gnome Disks
utility by clicking on the drive, then clicking the three dots in the
top corner, and then "Format Disk". After that you'll want to choose
the GPT partitioning system.

#+ATTR_HTML: :title Formatting the disk
#+ATTR_HTML: :alt clicking the format disk button in gnome disks
[[file:format disk.png]]

#+ATTR_HTML: :title Creating a new partition table
#+ATTR_HTML: :alt creating a new partition table in gnome disks
[[file:format disk gpt.png]]

Now we're going to create the encrypted LUKS layer. This can be done
in Disks as well. We're going to click on the + icon to create a new
partition. It should use all the space by default, click next. We're
then going to give the volume a name and select the Ext4 option and
check the LUKS box, click next.

#+ATTR_HTML: :title Selecting the partition type of ext4 + luks
#+ATTR_HTML: :alt Selecting the partition type of ext4 + luks in gnome disks
[[file:partition type.png]]

This is important, _*give the new drive the same password as your boot
drive*_. This will let you unlock both at the same time at boot. Click
create.

To get our system to decrypt this drive on boot, we're going to have
to add it to the [[https://www.freedesktop.org/software/systemd/man/latest/crypttab.html][=/etc/crypttab=]] file. This file contains a list of
encrypted drives to setup that need to be setup during the boot
process.

There should already be a line in there for our existing boot drive.
We want to add a similar line for our new device. To create the new
entry we need two pieces of information from Gnome Disks. We need the
hardware partition UUID, and the name of the decrypted partition.

To get the hardware partition UUID, click on the upper layer of the
partition in the device view. The UUID should be in the details in the
underneath. To get the name of the decrypted partition, click on the
lower half. In my case, the name of the encrypted partition is
=/dev/mapper/luks-<UUID of the disk>=. We're interested in only the
part that follows =/dev/mapper/=.

We then add the new line to our =/etc/crypttab= file. It should look
like this, ignoring the arrow and comment that follows it.

#+begin_src
luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX none discard <- Our original boot drive
luks-YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY UUID=YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY none discard <- Our new drive
#+end_src

The beginning of the line is the name of the decrypted partition,
followed by =UUID=<hardware uuid>=, the hardware partition UUID. The
word =none= tells LUKS that we are not using a keyfile. The word
=discard= here is a mount option that improves the efficiency of SSDs,
it's meaning is covered in the =crypttab= man page.

Now that our encryption is taken care of, we need to setup the
partitions.

LVM is split up into three layers. The physical volume layer, the
volume group layer, and the logical volume layer.

The physical layer represents actual hardware drives. The volume group
layer represents a "pool" of one or more drives that we can carve up
however we please, creating volumes out of the total available space
as though it's a single drive. The logical volume layer is made of the
new virtual devices that the OS sees after we've divided the volume
group layer.

LVM is setup like this because it lets you create [[https://en.wikipedia.org/wiki/RAID][RAID]] configurations
and logical partitions that span multiple physical disks. We aren't
interested in all of these features right now, but we must go through
the process all the same.

First we need to create a physical volume from the decrypted LUKS
partition. We use the =pvcreate= command alone with the LUKS partition
device file from Gnome Disks.

#+begin_src
sudo pvcreate /dev/mapper/luks-YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY
#+end_src

If it asks you about overwriting an ext4 partition, that is okay.
Gnome Disks created an ext4 partition that we are going to overwrite.
Just be sure it's the correct drive before confirming.

Next we're going to create a volume group from that physical volume.
We use the =vgcreate= command for that. We need to come up with a name
to represent this "pool", I just use =data_drive=.

#+begin_src
sudo vgcreate data_drive /dev/mapper/luks-YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY
#+end_src

Finally we need to create the logical volume that we're going to be
formatting with ext4. In my case I only want a single partition at the
moment, but may decide to shrink the partition and split it up
differently in the future. Since I only want a single partition for
now I'll use 100% of the available space. We create logical volumes
using the =lvcreate= command.

#+begin_src
sudo lvcreate -l 100%FREE data_drive -n data
#+end_src

The name of this logical volume is =data=.

The [[https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS][arch wiki]] also suggested that you leave at least 256M of extra
space so you can run =e2scrub= in case you want to check the
filesystem metadata.

#+begin_src
sudo lvreduce -L -256M data_drive/data
#+end_src

Our logical volumes can be resized and the underlying storage used to
create new logical volumes at any time in the future using the =lv*=
commands.

Our new logical volume should now be available at either
=/dev/data_drive/data= or =/dev/mapper/data_drive-data= and ready for
partitioning.

If you want to see what the LVM volumes look like, you can inspect
them using =pvs= and =pvdisplay= for the physical volumes, =vgs= and
=vgdisplay= for the volume groups, and =lvs= and =lvdisplay= for the
logical volumes.

Now we'll create our ext4 partition.

#+begin_src
sudo mkfs.ext4 /dev/data_drive/data
#+end_src

At this point the new logical volume is prepared and ready to be mounted.

For this I chose the location =/mnt/data=, but you can mount the drive
wherever you deem appropriate.

#+begin_src
sudo mkdir /mnt/data
sudo mount /dev/data_drive/data /mnt/data
#+end_src

If we want to make sure the system automatically mounts the drive at
boot, we can add it to our =/etc/fstab=.

We can add the following line to the bottom of the =/etc/fstab= file.

#+begin_src
/dev/mapper/data_drive-data   /mnt/data   ext4   defaults,x-systemd.device-timeout=0 1 2
#+end_src

The first column is the name of the device we want to mount. The
second column is the location we want to mount it. The third column is
the filesystem on that device. The fourth column is contains the mount
options we want to use, and the fifth and sixth columns are the dump
and fsck order. You can read about what they do in the =fstab= man
page.

Now everything should be setup and ready! The drive should unlock when
you type your password at boot and automatically mounted to the
correct location.