This is still work in progress for me but I give my interim response below. Thanks for all the help. On Wed, 29 May 2019 at 14:44, Guilhem Moulin wrote: > On Wed, 29 May 2019 at 12:26:12 +0100, Dominic Raferd wrote: > > Thanks but I am using the standard Debian recipe (via Ubuntu alternate > > installer which uses anaconda) for drive encryption (LUKS + dm-crypt, > with > > LVM on top) and this does not give any chance (AFAIK) to specify a > special > > parameter for cryptsetup. > > That flag is to be passed to `open` (or `refresh`) at initramfs stage, > not `luksFormat` at d-i stage. I suppose it doesn't change much though, > as --disable-keyring, and --token-* flags can't be specified to Debian's > crypttab(5) at the moment. > You raise my hopes and then dash them ;-) > > > The idea of reusing key from first crypt device when creating second > crypt > > device is that once the first crypt device is decrypted in initramfs (by > > user entering password) then the second one can be decrypted using the > key > > from the first. > > You have a backup key slot on the device unlocked with decrypt_derived, > right? Otherwise you'll loose both devices if the source is lost or > damaged. > I am only testing now but what you say is wise. > As written in /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz > decrypt_derived doesn't work with LUKS2 on Linux ≥4.10, because the > volume key of the source device is offloaded to the kernel keyring thus > not readable by userspace. Since --disable-keyring can't be > persistently written into the LUKS header as of 2.1.0, nor can it be > toggled from crypttab(5), I guess that if you want to stick to > decrypt_derived your options are to use `luksFormat --type luks1` (or `convert > --type luks1`); unfortunately this doesn't work. I try it (booting from SystemRescueCD): # cryptsetup convert /dev/sda5 --type luks1 WARNING! ======== This operation will convert /dev/sda5 to LUKS1 format. Are you sure? (Type uppercase yes): YES Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible. ...