Unlock multiple devices

[flobeier]

I'd like to unlock two encrypted devices (with the same passphrase). Could you add support for that? I don't think I'm able to do this myself yet. Local unlocking of two encrypted devices is prett easy (just copy the encrypt hook and give it another name) but I don't know how I can achieve the same with the encryptssh hook.

Edit: Turns out the same works for encryptssh too:

# cp /usr/lib/initcpio/install/encryptssh /etc/initcpio/install/encryptssh2
# cp /usr/lib/initcpio/hooks/encryptssh  /etc/initcpio/hooks/encryptssh2
# sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encryptssh2
# sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encryptssh2

One can then add another cryptdevice using cryptdevice2 (and another keyfile via cryptkey2 if needed). However, that's not a pretty solution and the cleanup hook disconnects me after unlocking the first volume. I'll have a look at how I can fix that.

In general it would still be nice to have a clean option to unlock multiple cryptdevices without the user having to manually add another hook by himself. Maybe by using a loop that checks if cryptdeviceX (and cryptkeyX) is populated and then acting accordingly? With X starting from 2 going upwards. Such a feature would be useful for the original encrypt hook too so that discussion might be better suited there.

[ShapeShifter499]

I would love to see this feature. Any possibilities @grazzolini ?

[grazzolini]

@ShapeShifter499 The issue here is that cryptsetup itself doesn't have this ability. We would need to store the passphrase somewhere in the initramfs filesystem. Obviously there are a lot of things we can try to do, like storing the passphrase in memory only and then overwriting that portion of memory with something like smem. But this is not secure. This feature should be added to cryptsetup itself. So, we could possibly pass two (or more) devices as arguments to it for unlocking.