[Image description:
Screenshot of terminal output:
~ ❯ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 62.5M 0 disk
└─topLuks 254:2 0 60.5M 0 crypt
└─bottomLuks 254:3 0 44.5M 0 crypt
/end image description]
I had no idea!
If anyone else is curious, it’s pretty much what you would expect:
cryptsetup -y -v luksFormat /dev/sda
cryptsetup open /dev/sda topLuks
cryptsetup -y -v luksFormat /dev/mapper/topLuks
cryptsetup open /dev/mapper/topLuks bottomLuks
lsblk
Then you can make a filesystem and mount it:
mkfs.ext4 /dev/mapper/bottomLuks
mount /dev/mapper/bottomLuks ~/mnt/embeddedLuksTest
I’ve tested putting files on it and then unmounting & re-encrypting it, and the files are indeed still there upon decrypting and re-mounting.
Again, sorry if this is not news to anyone else, but I didn’t realise this was possible before, and thought it was very cool when I found it out. Sharing in case other people didn’t know and also find it cool :)
I have an SSD and an HDD—I was considering on my next distro hop to put the root partition on the SSD and home partition on the HDD, decrypt the SSD and top level of the HDD upon boot, then decrypt the bottom level of the HDD upon user login. I’m sure many will think that’s overkill or silly, but hey, if you have full disk encryption you’ll have to enter two passwords to get into your computer anyway, just means your personal files get protected with two passwords. I would agree it’s mostly gimmicky but I still want to try it out lol
Amazing! How do you setup the decryption on login? systemd-home or something like that?
pam_mount. Arch wiki also suggests pam-exec although their explanation uses systemd (I’m using runit).
Fancy! TIL about pam_mount. Thanks, comrade!
Wouldn’t it be easier to just use a longer password and or a longer hash
Yes, it would. But it’s less fun lol