logo

Setting up an encrypted secondary drive on Linux

By: Michael Rispoli 2025-11-19

Setting up an encrypted secondary drive on Linux

#linux #devops #arch #omarchy

I recently received my brand new maxed out Framework Desktop and immediately installed Omarchy on it. However, I purchased a secondary drive and realized I had never actually had a second drive in my machine before. I went down the rabbit hole of setting this one up with full disk encryption and automatic mounting so you don't have to.

Spoiler alert, Claude code helped me with a lot of this, however I wanted to have a complete breakdown of everything we did so that I could a. reference it later and b. double check all of the things it was telling me to do so I didn't brick my machine. What follows is the exact setup I am using. My secondary drive is accessible from my home directory, is encrypted just like my main drive, mounts on startup, and doesn't require me to enter a password for this drive on every restart.

Table of Contents

Introduction

This guide walks you through setting up a secondary hard drive on Omarch Linux (an Arch-based distribution) running on a Framework Desktop. The setup includes:

  • Full disk encryption using LUKS (Linux Unified Key Setup)
  • btrfs filesystem (same as your main drive)
  • Automatic unlocking and mounting at boot
  • Proper permissions for your user account

Time required: ~15-20 minutes

Difficulty: Intermediate (but explained for beginners!)

Risk: Low (we're only working with the secondary drive, not your main system drive)

What We're Doing

Your Framework Desktop has two 2TB NVMe drives:

  • Primary drive (/dev/nvme0n1): Contains your operating system and home directory
  • Secondary drive (/dev/nvme1n1): Empty drive we'll set up for data storage

We'll set up the secondary drive to:

  1. Be encrypted (like your main drive) for security
  2. Automatically unlock when you boot (using a key file stored on your encrypted main drive)
  3. Mount at /home/<your_username>/storage so you can easily access it
  4. Use the btrfs filesystem for modern features like snapshots and compression

Why this approach?

  • Security: Your data is encrypted, so if someone physically removes the drive, they can't access it
  • Convenience: You only enter one password at boot (for your main drive), and the secondary drive unlocks automatically
  • Consistency: Using the same filesystem (btrfs) as your main drive keeps things familiar

Prerequisites

Before starting, ensure you have:

  • [x] Admin (sudo) access to your system
  • [x] Your user account password
  • [x] At least 10-15 minutes of uninterrupted time
  • [x] A backup of any data currently on the secondary drive (we'll erase everything!)

Check your sudo access:

sudo whoami

This should return root. If you get an error, you may need to fix your sudo configuration first.

In my case, with a fresh installation of Omarchy, I had to run omarchy-reset-sudo to fix it as per this issue.

Step-by-Step Guide

Step 1: Partitioning the Drive

What is partitioning?

Think of partitioning like dividing a physical hard drive into separate sections. Even though we have one physical drive, we can create multiple partitions that act like separate drives. For this setup, we'll create one large partition that uses the entire drive.

What is GPT?

GPT (GUID Partition Table) is the modern partitioning scheme that replaced the older MBR (Master Boot Record). It's required for drives larger than 2TB and works better with modern UEFI systems (which your Framework Desktop uses).

Command:

sudo parted /dev/nvme1n1 --script mklabel gpt mkpart primary 0% 100%

Breaking it down:

  • sudo: Run this command with administrator privileges
  • parted: The partitioning tool we're using
  • /dev/nvme1n1: The device name for your second NVMe drive
    • /dev/ is where Linux stores device files
    • nvme1n1 means NVMe drive #1 (counting from 0, so 0 is first, 1 is second)
  • --script: Run in non-interactive mode (don't ask for confirmation)
  • mklabel gpt: Create a new GPT partition table
  • mkpart primary 0% 100%: Create a primary partition using 0% to 100% of the drive (the whole thing)

Verify it worked:

lsblk /dev/nvme1n1

You should now see /dev/nvme1n1p1 (the "p1" means "partition 1").

Step 2: Setting Up LUKS Encryption

What is LUKS?

LUKS (Linux Unified Key Setup) is the standard encryption system for Linux. It encrypts your entire partition, making the data unreadable without the correct password (passphrase). Even if someone physically steals your drive, they can't access the data without your passphrase.

Command:

sudo cryptsetup luksFormat /dev/nvme1n1p1

Breaking it down:

  • cryptsetup: The tool for managing encrypted volumes
  • luksFormat: Initialize LUKS encryption on a partition
  • /dev/nvme1n1p1: The partition we just created

What happens when you run this:

  1. You'll see a warning that this will erase all data (type YES in all caps to confirm)
  2. You'll be asked to create a passphrase
  3. You'll need to enter it twice to confirm

Important notes about the passphrase:

  • This is a backup unlock method - you won't need it for daily use (we'll set up automatic unlocking next)
  • Write it down and store it somewhere safe!
  • If you lose both this passphrase AND the key file we create later, your data is permanently lost
  • Make it strong but memorable (passphrase example: "correct horse battery staple")

Step 3: Creating a Key File for Auto-Unlock

What is a key file?

A key file is a file containing random data that acts like a password. Instead of typing a passphrase every time you boot, the system reads this file automatically. Since this file is stored on your encrypted main drive, it's protected by your main drive's encryption.

Think of it like this:

  • Your main drive is a locked safe (encrypted with your boot password)
  • Inside that safe, you store a key to another safe (the key file for your secondary drive)
  • When you unlock the first safe, you automatically have access to the key for the second safe

Commands:

Create a secure directory for key files:

sudo mkdir -p /root/keyfiles
  • mkdir: Make directory
  • -p: Create parent directories if needed
  • /root/keyfiles: Location in the root user's home directory (only accessible by root)

Generate a random key file:

sudo dd if=/dev/urandom of=/root/keyfiles/storage.key bs=1024 count=4
  • dd: "Data duplicator" - copies data from one place to another
  • if=/dev/urandom: Input file is /dev/urandom (a source of random data)
  • of=/root/keyfiles/storage.key: Output file (where to save the key)
  • bs=1024: Block size of 1024 bytes (1 kilobyte)
  • count=4: Create 4 blocks (total size: 4KB of random data)

Secure the key file permissions:

sudo chmod 600 /root/keyfiles/storage.key
  • chmod: Change file mode (permissions)
  • 600: Only the owner (root) can read and write; no one else can access it
    • First digit (6): Owner can read (4) + write (2) = 6
    • Second digit (0): Group has no permissions
    • Third digit (0): Others have no permissions

Add the key file to LUKS:

sudo cryptsetup luksAddKey /dev/nvme1n1p1 /root/keyfiles/storage.key
  • luksAddKey: Add a new way to unlock this encrypted partition
  • You'll be asked for the passphrase you created in Step 2 (to prove you're authorized to add a new key)
  • After this, the drive can be unlocked either with the passphrase OR the key file

Step 4: Formatting with btrfs

What is a filesystem?

A filesystem determines how data is organized and stored on a partition. Think of it like the filing system in a library - it defines how books (files) are organized, cataloged, and retrieved.

Why btrfs?

Btrfs (B-tree File System, pronounced "butter fs" or "better fs") is a modern filesystem with advanced features:

  • Snapshots: Take instant backups of your entire drive
  • Compression: Automatically compress files to save space
  • Data integrity: Checks for and repairs corruption
  • Subvolumes: Create separate "sub-filesystems" within one partition

Your main Omarch drive uses btrfs, so using it for your secondary drive keeps things consistent.

Commands:

Unlock (open) the encrypted partition:

sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key
  • cryptsetup open: Unlock an encrypted partition
  • /dev/nvme1n1p1: The encrypted partition
  • storage: The name to give this unlocked device (it will appear as /dev/mapper/storage)
  • --key-file: Use the key file instead of prompting for a passphrase

Format with btrfs:

sudo mkfs.btrfs -L "Storage" /dev/mapper/storage
  • mkfs.btrfs: Make a btrfs filesystem
  • -L "Storage": Give it a label called "Storage" (appears in file managers)
  • /dev/mapper/storage: The unlocked encrypted partition

What you'll see:

The command outputs information about your new filesystem:

  • UUID: A unique identifier for this filesystem
  • Node size: How btrfs organizes metadata (16KB is standard)
  • Filesystem size: Total capacity (1.82TB)
  • SSD detected: Btrfs optimizes for SSD/NVMe drives automatically
  • Features: Modern btrfs features enabled

Step 5: Mounting and Setting Permissions

What is mounting?

Mounting is the process of making a filesystem accessible at a specific location in your directory tree. Think of it like assigning a drive letter in Windows (C:, D:, etc.), except in Linux you can mount drives anywhere in your folder structure.

Commands:

Create the mount point:

mkdir -p /home/<your_username>/storage
  • Creates a directory at /home/<your_username>/storage where we'll access the drive
  • This is just an empty folder right now

Mount the filesystem:

sudo mount /dev/mapper/storage /home/<your_username>/storage
  • mount: Make a filesystem accessible
  • /dev/mapper/storage: The unlocked encrypted drive
  • /home/<your_username>/storage: Where to mount it
  • Now when you access /home/<your_username>/storage, you're actually reading/writing to the encrypted drive!

Set ownership:

sudo chown <your_username>:<your_username> /home/<your_username>/storage
  • chown: Change ownership
  • <your_username>:<your_username>: User and group (your username)
  • Without this, only root could write to the drive

Step 6: Configuring Auto-Mount at Boot

The goal: Make the drive unlock and mount automatically when you boot your computer.

Two configuration files are involved:

/etc/crypttab (Crypto Tab)

This file tells the system which encrypted partitions to unlock at boot and how to unlock them.

/etc/fstab (File System Tab)

This file tells the system which filesystems to mount at boot and where to mount them.

Commands:

Get the UUID of the encrypted partition:

sudo blkid /dev/nvme1n1p1
  • blkid: Block device ID - shows information about partitions
  • You'll see output like: UUID="b57373d9-72d9-4ec7-9354-8f3cd61d3df4" TYPE="crypto_LUKS"
  • Copy the UUID (the long string of numbers and letters)

Add to /etc/crypttab:

echo "storage UUID=b57373d9-72d9-4ec7-9354-8f3cd61d3df4 /root/keyfiles/storage.key luks" | sudo tee -a /etc/crypttab

Breaking it down:

  • echo: Output text
  • The text is: storage UUID=YOUR-UUID /root/keyfiles/storage.key luks
    • storage: Name for the unlocked device (will appear as /dev/mapper/storage)
    • UUID=...: Identifies which encrypted partition to unlock
    • /root/keyfiles/storage.key: Path to the key file to use for unlocking
    • luks: This is a LUKS-encrypted partition
  • |: Pipe - send the output to the next command
  • sudo tee -a /etc/crypttab: Append to the /etc/crypttab file
    • tee: Write to a file and also show output
    • -a: Append (don't overwrite)

Add to /etc/fstab:

echo "/dev/mapper/storage /home/<your_username>/storage btrfs defaults 0 2" | sudo tee -a /etc/fstab

Breaking it down:

The text is: /dev/mapper/storage /home/<your_username>/storage btrfs defaults 0 2

  • /dev/mapper/storage: The device to mount (your unlocked encrypted drive)
  • /home/<your_username>/storage: Where to mount it
  • btrfs: The filesystem type
  • defaults: Use default mount options (read-write, auto-mount, etc.)
  • 0: Don't dump (used by backup tools, 0 means skip)
  • 2: Filesystem check order (0=don't check, 1=check first, 2=check after root)

What happens at boot now:

  1. System reads /etc/crypttab
  2. Unlocks /dev/nvme1n1p1 using the key file, creating /dev/mapper/storage
  3. System reads /etc/fstab
  4. Mounts /dev/mapper/storage at /home/<your_username>/storage
  5. Your drive is ready to use!

Step 7: Testing the Configuration

Before rebooting, let's test that everything works correctly.

Commands:

Unmount and close the drive:

sudo umount /home/<your_username>/storage
sudo cryptsetup close storage
  • This simulates the state before boot (drive locked and unmounted)

Reload systemd and test auto-mount:

sudo systemctl daemon-reload
sudo systemctl restart cryptsetup.target
sudo mount -a
  • systemctl daemon-reload: Reload systemd configuration files
  • systemctl restart cryptsetup.target: Trigger encryption unlock (reads /etc/crypttab)
  • mount -a: Mount all filesystems in /etc/fstab that aren't already mounted

Verify it's mounted:

df -h | grep storage
  • df -h: Show disk free space in human-readable format
  • | grep storage: Filter to only show lines containing "storage"
  • You should see /dev/mapper/storage mounted at /home/<your_username>/storage

Test that you can write to it:

echo "Test file - LLMs will go here!" > /home/<your_username>/storage/test.txt
cat /home/<your_username>/storage/test.txt
  • Creates a test file and reads it back
  • If this works, your permissions are correct!

Understanding the Final Setup

What You Have Now

Physical layout:

/dev/nvme1n1 (2TB NVMe drive)
└── /dev/nvme1n1p1 (2TB partition, LUKS encrypted)
    └── /dev/mapper/storage (unlocked encrypted partition, btrfs filesystem)
        └── /home/<your_username>/storage (mounted and accessible)

At boot:

  1. You enter your main drive password
  2. System unlocks your main drive (containing your OS and the key file)
  3. System reads /root/keyfiles/storage.key from your main drive
  4. System automatically unlocks /dev/nvme1n1p1 using the key file
  5. System mounts it at /home/<your_username>/storage
  6. Ready to use!

Security model:

  • Both drives are encrypted
  • Only one password needed at boot
  • Key file is protected by your main drive's encryption
  • If someone steals just the secondary drive, they can't access it (no key file)
  • If someone steals both drives but doesn't have your password, neither drive can be accessed

Troubleshooting

Drive not mounting at boot

Check if it's unlocked:

ls /dev/mapper/

You should see storage in the list.

If not, check /etc/crypttab syntax:

cat /etc/crypttab | grep storage

Permission denied when writing to drive

Fix ownership:

sudo chown -R <your_username>:<your_username> /home/<your_username>/storage

Want to manually unlock/mount

Unlock:

sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key

Mount:

sudo mount /dev/mapper/storage /home/<your_username>/storage

Want to manually unmount/lock

Unmount:

sudo umount /home/<your_username>/storage

Lock:

sudo cryptsetup close storage

Forgot your LUKS passphrase

If you still have access to the key file, you can:

  1. Unlock with the key file:

    sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key

  2. Change the passphrase:

    sudo cryptsetup luksChangeKey /dev/nvme1n1p1

Need to add another way to unlock (second key file or passphrase)

sudo cryptsetup luksAddKey /dev/nvme1n1p1 /path/to/new/keyfile

Or to add a new passphrase:

sudo cryptsetup luksAddKey /dev/nvme1n1p1

Useful Commands

Check drive usage

df -h /home/<your_username>/storage

Check encryption status

sudo cryptsetup status storage

View LUKS header information

sudo cryptsetup luksDump /dev/nvme1n1p1

See all block devices

lsblk -f

Check btrfs filesystem info

sudo btrfs filesystem show /home/<your_username>/storage

Create a btrfs snapshot (instant backup)

sudo btrfs subvolume snapshot /home/<your_username>/storage /home/<your_username>/storage/.snapshots/snapshot-$(date +%Y%m%d)

Use Cases

Now that your drive is set up, here are some great uses:

Storing Local LLMs

Large language models can be 4GB to 70GB+ each:

mkdir -p /home/<your_username>/storage/llms
cd /home/<your_username>/storage/llms
# Download your models here

Media Storage

mkdir -p /home/<your_username>/storage/{movies,music,photos}

Development Projects

mkdir -p /home/<your_username>/storage/projects
cd /home/<your_username>/storage/projects
git clone https://github.com/yourproject

Backups

mkdir -p /home/<your_username>/storage/backups
rsync -av /home/<your_username>/important-data /home/<your_username>/storage/backups/

Conclusion

Congratulations! You've successfully set up an encrypted secondary drive with automatic unlocking and mounting. Your Framework Desktop now has:

  • 🔒 Security: Full disk encryption on both drives
  • Convenience: One password unlocks everything
  • 💾 Capacity: 1.8TB of additional storage
  • 🎯 Modern: Using btrfs with snapshots, compression, and integrity checking

Store your LUKS passphrase safely, and enjoy your expanded storage!

Document Information

  • Created: 2025-11-09
  • System: Omarch Linux (Arch-based)
  • Hardware: Framework Desktop
  • Drive: 2TB NVMe (/dev/nvme1n1)
  • Mount Point: /home//storage
  • Filesystem: btrfs
  • Encryption: LUKS with key file auto-unlock

Questions or Issues?

Refer to the Arch Wiki for detailed documentation:

Original article: Setting up an encrypted secondary drive on Linux by Mike Rispoli

Contact Us