# Setting up an encrypted secondary drive on Linux

By: Michael Rispoli
Published: 2025-11-19

I recently received my brand new maxed out Framework Desktop and immediately installed Omarchy on it. However, I purchased a secondary drive and realized I had never actually had a second drive in my machine before. I went down the rabbit hole of setting this one up with full disk encryption and automatic mounting so you don't have to.

# Setting up an encrypted secondary drive on Linux

#linux #devops #arch #omarchy

I recently received my brand new maxed out Framework Desktop and immediately installed Omarchy on it. However, I purchased a secondary drive and realized I had never actually had a second drive in my machine before. I went down the rabbit hole of setting this one up with full disk encryption and automatic mounting so you don't have to.

Spoiler alert, Claude code helped me with a lot of this, however I wanted to have a complete breakdown of everything we did so that I could a. reference it later and b. double check all of the things it was telling me to do so I didn't brick my machine. What follows is the exact setup I am using. My secondary drive is accessible from my home directory, is encrypted just like my main drive, mounts on startup, and doesn't require me to enter a password for this drive on every restart.

## Table of Contents
- [Introduction](#introduction)
- [What We're Doing](#what-were-doing)
- [Prerequisites](#prerequisites)
- [Step-by-Step Guide](#step-by-step-guide)
  - [Step 1: Partitioning the Drive](#step-1-partitioning-the-drive)
  - [Step 2: Setting Up LUKS Encryption](#step-2-setting-up-luks-encryption)
  - [Step 3: Creating a Key File for Auto-Unlock](#step-3-creating-a-key-file-for-auto-unlock)
  - [Step 4: Formatting with btrfs](#step-4-formatting-with-btrfs)
  - [Step 5: Mounting and Setting Permissions](#step-5-mounting-and-setting-permissions)
  - [Step 6: Configuring Auto-Mount at Boot](#step-6-configuring-auto-mount-at-boot)
  - [Step 7: Testing the Configuration](#step-7-testing-the-configuration)
- [Understanding the Final Setup](#understanding-the-final-setup)
- [Troubleshooting](#troubleshooting)
- [Useful Commands](#useful-commands)
- [Use Cases](#use-cases)
- [Conclusion](#conclusion)

## Introduction

This guide walks you through setting up a secondary hard drive on Omarch Linux (an Arch-based distribution) running on a Framework Desktop. The setup includes:

- Full disk encryption using LUKS (Linux Unified Key Setup)
- btrfs filesystem (same as your main drive)
- Automatic unlocking and mounting at boot
- Proper permissions for your user account

**Time required:** ~15-20 minutes  
**Difficulty:** Intermediate (but explained for beginners!)  
**Risk:** Low (we're only working with the secondary drive, not your main system drive)

## What We're Doing

Your Framework Desktop has two 2TB NVMe drives:

- **Primary drive (`/dev/nvme0n1`):** Contains your operating system and home directory
- **Secondary drive (`/dev/nvme1n1`):** Empty drive we'll set up for data storage

We'll set up the secondary drive to:

1. Be encrypted (like your main drive) for security
2. Automatically unlock when you boot (using a key file stored on your encrypted main drive)
3. Mount at `/home/<your_username>/storage` so you can easily access it
4. Use the btrfs filesystem for modern features like snapshots and compression

**Why this approach?**

- **Security:** Your data is encrypted, so if someone physically removes the drive, they can't access it
- **Convenience:** You only enter one password at boot (for your main drive), and the secondary drive unlocks automatically
- **Consistency:** Using the same filesystem (btrfs) as your main drive keeps things familiar

## Prerequisites

Before starting, ensure you have:

- [x] Admin (sudo) access to your system
- [x] Your user account password
- [x] At least 10-15 minutes of uninterrupted time
- [x] A backup of any data currently on the secondary drive (we'll erase everything!)

Check your sudo access:

```bash
sudo whoami
```

This should return `root`. If you get an error, you may need to fix your sudo configuration first.

In my case, with a fresh installation of Omarchy, I had to run `omarchy-reset-sudo` to fix it as per [this issue](https://github.com/basecamp/omarchy/issues/1571).

## Step-by-Step Guide

### Step 1: Partitioning the Drive

**What is partitioning?**  
Think of partitioning like dividing a physical hard drive into separate sections. Even though we have one physical drive, we can create multiple partitions that act like separate drives. For this setup, we'll create one large partition that uses the entire drive.

**What is GPT?**  
GPT (GUID Partition Table) is the modern partitioning scheme that replaced the older MBR (Master Boot Record). It's required for drives larger than 2TB and works better with modern UEFI systems (which your Framework Desktop uses).

**Command:**

```bash
sudo parted /dev/nvme1n1 --script mklabel gpt mkpart primary 0% 100%
```

**Breaking it down:**

- `sudo`: Run this command with administrator privileges
- `parted`: The partitioning tool we're using
- `/dev/nvme1n1`: The device name for your second NVMe drive
  - `/dev/` is where Linux stores device files
  - `nvme1n1` means NVMe drive #1 (counting from 0, so 0 is first, 1 is second)
- `--script`: Run in non-interactive mode (don't ask for confirmation)
- `mklabel gpt`: Create a new GPT partition table
- `mkpart primary 0% 100%`: Create a primary partition using 0% to 100% of the drive (the whole thing)

**Verify it worked:**

```bash
lsblk /dev/nvme1n1
```

You should now see `/dev/nvme1n1p1` (the "p1" means "partition 1").

### Step 2: Setting Up LUKS Encryption

**What is LUKS?**  
LUKS (Linux Unified Key Setup) is the standard encryption system for Linux. It encrypts your entire partition, making the data unreadable without the correct password (passphrase). Even if someone physically steals your drive, they can't access the data without your passphrase.

**Command:**

```bash
sudo cryptsetup luksFormat /dev/nvme1n1p1
```

**Breaking it down:**

- `cryptsetup`: The tool for managing encrypted volumes
- `luksFormat`: Initialize LUKS encryption on a partition
- `/dev/nvme1n1p1`: The partition we just created

**What happens when you run this:**

1. You'll see a warning that this will erase all data (type `YES` in all caps to confirm)
2. You'll be asked to create a passphrase
3. You'll need to enter it twice to confirm

**Important notes about the passphrase:**

- This is a backup unlock method - you won't need it for daily use (we'll set up automatic unlocking next)
- Write it down and store it somewhere safe!
- If you lose both this passphrase AND the key file we create later, your data is permanently lost
- Make it strong but memorable (passphrase example: "correct horse battery staple")

### Step 3: Creating a Key File for Auto-Unlock

**What is a key file?**  
A key file is a file containing random data that acts like a password. Instead of typing a passphrase every time you boot, the system reads this file automatically. Since this file is stored on your encrypted main drive, it's protected by your main drive's encryption.

**Think of it like this:**

- Your main drive is a locked safe (encrypted with your boot password)
- Inside that safe, you store a key to another safe (the key file for your secondary drive)
- When you unlock the first safe, you automatically have access to the key for the second safe

**Commands:**

Create a secure directory for key files:

```bash
sudo mkdir -p /root/keyfiles
```

- `mkdir`: Make directory
- `-p`: Create parent directories if needed
- `/root/keyfiles`: Location in the root user's home directory (only accessible by root)

Generate a random key file:

```bash
sudo dd if=/dev/urandom of=/root/keyfiles/storage.key bs=1024 count=4
```

- `dd`: "Data duplicator" - copies data from one place to another
- `if=/dev/urandom`: Input file is `/dev/urandom` (a source of random data)
- `of=/root/keyfiles/storage.key`: Output file (where to save the key)
- `bs=1024`: Block size of 1024 bytes (1 kilobyte)
- `count=4`: Create 4 blocks (total size: 4KB of random data)

Secure the key file permissions:

```bash
sudo chmod 600 /root/keyfiles/storage.key
```

- `chmod`: Change file mode (permissions)
- `600`: Only the owner (root) can read and write; no one else can access it
  - First digit (6): Owner can read (4) + write (2) = 6
  - Second digit (0): Group has no permissions
  - Third digit (0): Others have no permissions

Add the key file to LUKS:

```bash
sudo cryptsetup luksAddKey /dev/nvme1n1p1 /root/keyfiles/storage.key
```

- `luksAddKey`: Add a new way to unlock this encrypted partition
- You'll be asked for the passphrase you created in Step 2 (to prove you're authorized to add a new key)
- After this, the drive can be unlocked either with the passphrase OR the key file

### Step 4: Formatting with btrfs

**What is a filesystem?**  
A filesystem determines how data is organized and stored on a partition. Think of it like the filing system in a library - it defines how books (files) are organized, cataloged, and retrieved.

**Why btrfs?**  
Btrfs (B-tree File System, pronounced "butter fs" or "better fs") is a modern filesystem with advanced features:

- **Snapshots:** Take instant backups of your entire drive
- **Compression:** Automatically compress files to save space
- **Data integrity:** Checks for and repairs corruption
- **Subvolumes:** Create separate "sub-filesystems" within one partition

Your main Omarch drive uses btrfs, so using it for your secondary drive keeps things consistent.

**Commands:**

Unlock (open) the encrypted partition:

```bash
sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key
```

- `cryptsetup open`: Unlock an encrypted partition
- `/dev/nvme1n1p1`: The encrypted partition
- `storage`: The name to give this unlocked device (it will appear as `/dev/mapper/storage`)
- `--key-file`: Use the key file instead of prompting for a passphrase

Format with btrfs:

```bash
sudo mkfs.btrfs -L "Storage" /dev/mapper/storage
```

- `mkfs.btrfs`: Make a btrfs filesystem
- `-L "Storage"`: Give it a label called "Storage" (appears in file managers)
- `/dev/mapper/storage`: The unlocked encrypted partition

**What you'll see:**  
The command outputs information about your new filesystem:

- **UUID:** A unique identifier for this filesystem
- **Node size:** How btrfs organizes metadata (16KB is standard)
- **Filesystem size:** Total capacity (1.82TB)
- **SSD detected:** Btrfs optimizes for SSD/NVMe drives automatically
- **Features:** Modern btrfs features enabled

### Step 5: Mounting and Setting Permissions

**What is mounting?**  
Mounting is the process of making a filesystem accessible at a specific location in your directory tree. Think of it like assigning a drive letter in Windows (C:, D:, etc.), except in Linux you can mount drives anywhere in your folder structure.

**Commands:**

Create the mount point:

```bash
mkdir -p /home/<your_username>/storage
```

- Creates a directory at `/home/<your_username>/storage` where we'll access the drive
- This is just an empty folder right now

Mount the filesystem:

```bash
sudo mount /dev/mapper/storage /home/<your_username>/storage
```

- `mount`: Make a filesystem accessible
- `/dev/mapper/storage`: The unlocked encrypted drive
- `/home/<your_username>/storage`: Where to mount it
- Now when you access `/home/<your_username>/storage`, you're actually reading/writing to the encrypted drive!

Set ownership:

```bash
sudo chown <your_username>:<your_username> /home/<your_username>/storage
```

- `chown`: Change ownership
- `<your_username>:<your_username>`: User and group (your username)
- Without this, only root could write to the drive

### Step 6: Configuring Auto-Mount at Boot

**The goal:** Make the drive unlock and mount automatically when you boot your computer.

**Two configuration files are involved:**

#### `/etc/crypttab` (Crypto Tab)
This file tells the system which encrypted partitions to unlock at boot and how to unlock them.

#### `/etc/fstab` (File System Tab)
This file tells the system which filesystems to mount at boot and where to mount them.

**Commands:**

Get the UUID of the encrypted partition:

```bash
sudo blkid /dev/nvme1n1p1
```

- `blkid`: Block device ID - shows information about partitions
- You'll see output like: `UUID="b57373d9-72d9-4ec7-9354-8f3cd61d3df4" TYPE="crypto_LUKS"`
- Copy the UUID (the long string of numbers and letters)

Add to `/etc/crypttab`:

```bash
echo "storage UUID=b57373d9-72d9-4ec7-9354-8f3cd61d3df4 /root/keyfiles/storage.key luks" | sudo tee -a /etc/crypttab
```

**Breaking it down:**

- `echo`: Output text
- The text is: `storage UUID=YOUR-UUID /root/keyfiles/storage.key luks`
  - `storage`: Name for the unlocked device (will appear as `/dev/mapper/storage`)
  - `UUID=...`: Identifies which encrypted partition to unlock
  - `/root/keyfiles/storage.key`: Path to the key file to use for unlocking
  - `luks`: This is a LUKS-encrypted partition
- `|`: Pipe - send the output to the next command
- `sudo tee -a /etc/crypttab`: Append to the `/etc/crypttab` file
  - `tee`: Write to a file and also show output
  - `-a`: Append (don't overwrite)

Add to `/etc/fstab`:

```bash
echo "/dev/mapper/storage /home/<your_username>/storage btrfs defaults 0 2" | sudo tee -a /etc/fstab
```

**Breaking it down:**  
The text is: `/dev/mapper/storage /home/<your_username>/storage btrfs defaults 0 2`

- `/dev/mapper/storage`: The device to mount (your unlocked encrypted drive)
- `/home/<your_username>/storage`: Where to mount it
- `btrfs`: The filesystem type
- `defaults`: Use default mount options (read-write, auto-mount, etc.)
- `0`: Don't dump (used by backup tools, 0 means skip)
- `2`: Filesystem check order (0=don't check, 1=check first, 2=check after root)

**What happens at boot now:**

1. System reads `/etc/crypttab`
2. Unlocks `/dev/nvme1n1p1` using the key file, creating `/dev/mapper/storage`
3. System reads `/etc/fstab`
4. Mounts `/dev/mapper/storage` at `/home/<your_username>/storage`
5. Your drive is ready to use!

### Step 7: Testing the Configuration

Before rebooting, let's test that everything works correctly.

**Commands:**

Unmount and close the drive:

```bash
sudo umount /home/<your_username>/storage
sudo cryptsetup close storage
```

- This simulates the state before boot (drive locked and unmounted)

Reload systemd and test auto-mount:

```bash
sudo systemctl daemon-reload
sudo systemctl restart cryptsetup.target
sudo mount -a
```

- `systemctl daemon-reload`: Reload systemd configuration files
- `systemctl restart cryptsetup.target`: Trigger encryption unlock (reads `/etc/crypttab`)
- `mount -a`: Mount all filesystems in `/etc/fstab` that aren't already mounted

Verify it's mounted:

```bash
df -h | grep storage
```

- `df -h`: Show disk free space in human-readable format
- `| grep storage`: Filter to only show lines containing "storage"
- You should see `/dev/mapper/storage` mounted at `/home/<your_username>/storage`

Test that you can write to it:

```bash
echo "Test file - LLMs will go here!" > /home/<your_username>/storage/test.txt
cat /home/<your_username>/storage/test.txt
```

- Creates a test file and reads it back
- If this works, your permissions are correct!

## Understanding the Final Setup

### What You Have Now

**Physical layout:**

```
/dev/nvme1n1 (2TB NVMe drive)
└── /dev/nvme1n1p1 (2TB partition, LUKS encrypted)
    └── /dev/mapper/storage (unlocked encrypted partition, btrfs filesystem)
        └── /home/<your_username>/storage (mounted and accessible)
```

**At boot:**

1. You enter your main drive password
2. System unlocks your main drive (containing your OS and the key file)
3. System reads `/root/keyfiles/storage.key` from your main drive
4. System automatically unlocks `/dev/nvme1n1p1` using the key file
5. System mounts it at `/home/<your_username>/storage`
6. Ready to use!

**Security model:**

- Both drives are encrypted
- Only one password needed at boot
- Key file is protected by your main drive's encryption
- If someone steals just the secondary drive, they can't access it (no key file)
- If someone steals both drives but doesn't have your password, neither drive can be accessed

## Troubleshooting

### Drive not mounting at boot

Check if it's unlocked:

```bash
ls /dev/mapper/
```

You should see `storage` in the list.

If not, check `/etc/crypttab` syntax:

```bash
cat /etc/crypttab | grep storage
```

### Permission denied when writing to drive

Fix ownership:

```bash
sudo chown -R <your_username>:<your_username> /home/<your_username>/storage
```

### Want to manually unlock/mount

Unlock:

```bash
sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key
```

Mount:

```bash
sudo mount /dev/mapper/storage /home/<your_username>/storage
```

### Want to manually unmount/lock

Unmount:

```bash
sudo umount /home/<your_username>/storage
```

Lock:

```bash
sudo cryptsetup close storage
```

### Forgot your LUKS passphrase

If you still have access to the key file, you can:

1. Unlock with the key file:
```bash
sudo cryptsetup open /dev/nvme1n1p1 storage --key-file /root/keyfiles/storage.key
```

2. Change the passphrase:
```bash
sudo cryptsetup luksChangeKey /dev/nvme1n1p1
```

### Need to add another way to unlock (second key file or passphrase)

```bash
sudo cryptsetup luksAddKey /dev/nvme1n1p1 /path/to/new/keyfile
```

Or to add a new passphrase:

```bash
sudo cryptsetup luksAddKey /dev/nvme1n1p1
```

## Useful Commands

### Check drive usage

```bash
df -h /home/<your_username>/storage
```

### Check encryption status

```bash
sudo cryptsetup status storage
```

### View LUKS header information

```bash
sudo cryptsetup luksDump /dev/nvme1n1p1
```

### See all block devices

```bash
lsblk -f
```

### Check btrfs filesystem info

```bash
sudo btrfs filesystem show /home/<your_username>/storage
```

### Create a btrfs snapshot (instant backup)

```bash
sudo btrfs subvolume snapshot /home/<your_username>/storage /home/<your_username>/storage/.snapshots/snapshot-$(date +%Y%m%d)
```

## Use Cases

Now that your drive is set up, here are some great uses:

### Storing Local LLMs

Large language models can be 4GB to 70GB+ each:

```bash
mkdir -p /home/<your_username>/storage/llms
cd /home/<your_username>/storage/llms
# Download your models here
```

### Media Storage

```bash
mkdir -p /home/<your_username>/storage/{movies,music,photos}
```

### Development Projects

```bash
mkdir -p /home/<your_username>/storage/projects
cd /home/<your_username>/storage/projects
git clone https://github.com/yourproject
```

### Backups

```bash
mkdir -p /home/<your_username>/storage/backups
rsync -av /home/<your_username>/important-data /home/<your_username>/storage/backups/
```

## Conclusion

Congratulations! You've successfully set up an encrypted secondary drive with automatic unlocking and mounting. Your Framework Desktop now has:

- 🔒 **Security:** Full disk encryption on both drives
- ⚡ **Convenience:** One password unlocks everything
- 💾 **Capacity:** 1.8TB of additional storage
- 🎯 **Modern:** Using btrfs with snapshots, compression, and integrity checking

Store your LUKS passphrase safely, and enjoy your expanded storage!

---

## Document Information

- **Created:** 2025-11-09
- **System:** Omarch Linux (Arch-based)
- **Hardware:** Framework Desktop
- **Drive:** 2TB NVMe (/dev/nvme1n1)
- **Mount Point:** /home/<username>/storage
- **Filesystem:** btrfs
- **Encryption:** LUKS with key file auto-unlock

## Questions or Issues?

Refer to the Arch Wiki for detailed documentation:

- [dm-crypt/Encrypting an entire system](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system)
- [btrfs](https://wiki.archlinux.org/title/Btrfs)
- [fstab](https://wiki.archlinux.org/title/Fstab)

---

**Original article:** [Setting up an encrypted secondary drive on Linux](https://dev.to/mrispoli24/setting-up-an-encrypted-secondary-drive-on-linux-3ioa) by Mike Rispoli

Canonical URL: https://www.causeofakind.com/blog/setting-up-an-encrypted-secondary-drive-on-linux