Ubuntu: automatically unlock encrypted drives at boot

In the previous two posts, I’ve described how to install Ubuntu with full disk encryption and manual partitioning both in UEFI mode and in BIOS mode. It makes sense to encrypt also additional drives (for example data and backup drives), not only the system drive, so here’s a super quick to-do list on how to do just that. You will still be required to enter a single password when the system boots, to unlock the system partitions, and then the additional encrypted drive(s) will be unlocked automatically using a keyfile instead of requiring you to enter more passwords manually.

  • Backup the data on the target drive if needed
  • Install and run gparted
  • Select the disk you want to encrypt and create a new unformatted partition, deleting all the existing partitions from the disk first, if any; if the disk doesn’t have a partition table yet, create a new partition table of type gpt (Device > Create Partition Table). Give the partition a label if you wish, then click “Apply” to confirm the changes and take note of the new partition’s name (here I’ll assume it is /dev/sdb1 if both your system disk and this disk are SATA drives; of course change the device name as required)
  • Open a terminal and run the following commands to actually encrypt the partition you have just created:
sudo cryptsetup -y -v luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 data_crypt
sudo mkfs.ext4 /dev/mapper/data_crypt

In this example I’m naming the encrypted partition “data”, but of course it can be anything like “backup” or the actual device name (e.g. sdb1).

  • Now generate a keyfile if you don’t have one already (the same keyfile can be shared among multiple encrypted devices); this will be used to unlock the partition automatically at boot. You may skip this if you already have a keyfile and want to use that one:
sudo dd if=/dev/urandom of=/etc/crypt.keyfile count=1 bs=512
sudo chmod -rw /etc/crypt.keyfile
  • Add the keyfile to the encrypted partition:
sudo cryptsetup luksAddKey /dev/sdb1 /etc/crypt.keyfile
  • Run
blkid /dev/sdb1

and take note of the UUID.

  • Run
sudo -H gedit /etc/crypttab

and add

data_crypt UUID=(the UUID without quotes) /etc/crypt.keyfile luks,discard
  • Create a directory under /mnt with the name you want to give to the mounted partition, e.g. “Data”:
sudo mkdir /mnt/Data
  • Run
sudo -H gedit /etc/fstab

and add

/dev/mapper/data_crypt /mnt/Data ext4 defaults 0 2
  • Finally, fix the permissions:
sudo chown <user>:<user> /mnt/Data -R
  • Reboot. The encrypted partition should now be unlocked automatically at boot. Hope it helps :)