On 2020-06-02 23:27, Chris Narkiewicz wrote: > Somebody on StackOverflow advised on modifying /etc/rc > and run bioctl before disks are mounted, but I'm not sure > if this is a right approach, especially that attaching > more disks might change the /dev/sd* numberign.
That would cause yourself maintenance pain/broken systems. A less broken solution, would be more targeted. I have retrofitted encryption before, to allow manual post boot activation of encryption via ssh, when abroad, without leaving a fob. Mounting a mail drive and also encrypted /var/spool and a backup drive from /etc/rc.securelevel. When it asks for a password on boot, rc.securelvel runs fsck -p ... && /sbin/mount ... (... = duid etc) It also reads the passwords for the extra volumes with bioctl -p, for convenience of only entering one password. Obviously the passwords are readable only by root and stored on the first encrypted drive.