# Open second LUKS partition with derived key

## cypher_err

Is it possible to open a second LUKS partition with a key which is derived from the first partiton which in turn is decrypted by entering a password?

I know how to do it with systems which use /etc/crypttab but since I use OpenRC I don't know if it is possible.

Other distros can derive a key from an decrypted partiton with the command

```

/lib/cryptsetup/scripts/decrypt_derived

```

Last edited by cypher_err on Fri Mar 13, 2015 10:12 pm; edited 1 time in total

----------

## tclover

Err, you mean using a keyfile crypted with dm-crypt LUKS? Of course, you can. It's described over there dm-crypt LUKS. If used with rootfs... you should be using a proper initramfs (follow the link on my sig.) I am not sure dmcrypt init script manage that kind of keyfile although it des support GnuPG crypted keyfile. But you could hack the init script... it's a little complicated at first sight--this is a warning for an init script noob--but pretty doable quickly.

----------

## inf1nity

Hi tclover,

I think cypher_err wanted to use a derived key from a per-password unlocked luks device so that the remaining devices wouldn't have to be manually opened.

https://help.ubuntu.com/community/encryptedZfs

for example uses the script /lib/cryptsetup/scripts/decrypt_derived, see also http://apt-browse.org/browse/ubuntu/trusty/main/amd64/cryptsetup/2%3A1.6.1-1ubuntu1/file/lib/cryptsetup/scripts/decrypt_derived , to accomplish this. They then have something like a dmcrypt file which lists the devices to be treated by the initramfs:

target=vault_crypt,source=UUID=<uuid-/dev/sd?-vault1_crypt-crypt_LUKS-no-quotes>,keyscript=/scripts/luks/get.root_crypt.decrypt_derived

While genkernel and mkinitramfs-ll support keyfiles, as far as I could find out, I am missing something like this.

The reason why I write in here and hope you can help me is, that I intend to accomplish the following setup:

/dev/sda1 luks & /dev/sdb1 luks -> zfs mirror -> boot ROOT and only want to enter the password once at boot-time.

Should you be the author of mkinitramfs-ll, could you please tell me how this would be possible?

Thanks!

----------

