I was looking for a way to auto unlock and auto mount a secondary luks-encrypted drive at login type and came across quite technical solutions involving creating a keyfile and editing etc/crypttab and etc/fstab. However I seem to have accomplished what I wanted without ever touching the terminal or manually editing those files, and I'd like to understand the security implications of what I did.
With the drive unlocked and mounted, I opened the Disks application and navigated to the disk I wanted to auto unlock/mount. It showed the ext4 partition on top (or, graphically, beneath) of a LUKS "Partition 1". I selected the LUKS partition and from the "Additional partition options" cogwheel I chose "Edit Encryption Option". I disabled "User Session Defaults" and checked "Unlock at system startup" leaving "required additional authorisation to unlock" unchecked, adding no passphrase. "Passphrase file" at the bottom read "none". Then I selected the ext4 partition and from the cogwheel I clicked "Edit Mount Options". Again I disabled "User Session Defaults" and checked both "Mount at system startup" and "show in user interface".
And bam, I got the behaviour I expected. After a restart the drive auto unlocked and auto mounted. Now here's the thing. I thought it was working because I had previously saved the password in that Gnome Passwords and Keys app by checking the "remember password" option when manually mounting. But because I thought it was unsafe to have the password saved somewhere where any application could access it, I deleted it in the Passwords and Keys app to see what happened. After another restart, the drive auto unlocked and auto mounted just like before (picture a confused emoji here...)
So my question is: How is the drive being automatically unlocked? I checked crypttab and a line was indeed added to it. That line ends with "none nofail", and there's no reference to any keyfile. So I'm beyond confused. Is my secondary drive protected with LUKS at all? Any clarification on what's going on would be greatly appreciated.
For reference, I am running Ubuntu 22.04.4 and my main drive is encrypted with full disk encryption.
EDIT 1:
This is what crypttab says:
nvme0n1p3_crypt UUID=00946b8e-6f9a-402c-92ce-66c8f23b7a67 none luks,discardluks-a79fea44-a0dd-4fb3-ac03-714682584b53 UUID=a79fea44-a0dd-4fb3-ac03-714682584b53 none nofailAnd this is the fstab file, indicating where the second volume is mounted:
# /etc/fstab: static file system information.## Use 'blkid' to print the universally unique identifier for a# device; this may be used with UUID= as a more robust way to name devices# that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>/dev/mapper/vgubuntu-root / ext4 errors=remount-ro 0 1# /boot was on /dev/nvme0n1p2 during installationUUID=af6d60a6-23df-4a83-9785-3833f3a0810c /boot ext4 defaults 0 2# /boot/efi was on /dev/nvme0n1p1 during installationUUID=1427-43F0 /boot/efi vfat umask=0077 0 1/dev/mapper/vgubuntu-swap_1 none swap sw 0 0/dev/disk/by-uuid/c01b0e3d-f778-48ca-b1e5-301749198f6c /mnt/c01b0e3d-f778-48ca-b1e5-301749198f6c auto nosuid,nodev,nofail,x-gvfs-show 0 0EDIT 2:
After some further testing I found out that the auto-unlocking and auto-mounting only works by following the steps I described if the secondary volume is encrypted with the same password as the main volume. Changing the password results in the volume no longer mounting automatically. I have also tested it on another machine (also with two drives, but running 24.04) and got the same results: same password as main volume, auto-unlock works, different passwords, no dice.
It does not seem to be the case of Gnome Keyring or another app "remembering" the password after I have deleted it from the Passwords and Keys app, as in my second machine I never told it to remember any password.
It seems that the second (and third, fourth?) drive can be unlocked at boot/login if it is encrypted with the same LUKS password as the main drive, though I have no idea how this is working...