[help needed] expand root with a new luks + btrfs device

Hi all!

I have 2 SSDs with the same size in the laptop. When I installed Aurora-dx a few months back I only selected one of them as the target, with manual partitioning but the recommended partition layout created by Anaconda, disk encryption selected.

Now I would like to expand the btrfs filesystem with an encrypted partition created over the second SSD, just like how Anaconda would have created it if I were to select both SSDs at installation time.
There is a lot of outdated and/or conflicting info regarding this on the web, especially not considering the rpm-ostree based system, and I wouldn’t want to mess up my system.

Can you pls help in how I should achieve this the best?

Current partition layout:

❯ lsblk -f
NAME                                          FSTYPE      FSVER LABEL UUID        FSAVAIL FSUSE% MOUNTPOINTS
sda                                                                                                                       
├─sda1                                        vfat        FAT32       uuid_efi    586.2M     2% /boot/efi
├─sda2                                        ext4        1.0         uuid_boot   427.3M    49% /boot
└─sda3                                        crypto_LUKS 2           uuid_luks1                
  └─luks-uuid_luks1                           btrfs             hname uuid_btrfs  166.3G    28% /usr/bin/swtpm
                                                                                                /var/home
                                                                                                /var
                                                                                                /sysroot/ostree/deploy/default/var
                                                                                                /usr
                                                                                                /etc
                                                                                                /
                                                                                                /sysroot
sdb                                                                                                                       
sdc                                                                                                                       
sdd                                                                                                                       
zram0                                                                                           [SWAP]

Kargs:

❯ rpm-ostree kargs 
rd.luks.uuid=luks-uuid_luks1 rhgb quiet root=UUID=uuid_btrfs rootflags=subvol=root rw ostree=/ostree/boot.0/default/4eb2f99de89447355bd6f1d8defc92881ce7ac0a1593840918b9a3dd11ee6d9d/0
❯ sudo cat /etc/crypttab 
luks-uuid_luks1 UUID=uuid_luks1 none discard
❯ sudo cat /etc/fstab 

#
# /etc/fstab
# Created by anaconda on Sun Nov 10 13:10:23 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=uuid_btrfs /                       btrfs   subvol=root,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=uuid_boot  /boot                   ext4    defaults        1 2
UUID=uuid_efi   /boot/efi               vfat    umask=0077,shortname=winnt 0 2
UUID=uuid_btrfs /home                   btrfs   subvol=home,compress=zstd:1,x-systemd.device-timeout=0 0 0
UUID=uuid_btrfs /var                    btrfs   subvol=var,compress=zstd:1,x-systemd.device-timeout=0 0 0
❯ sudo btrfs fi show
Label: 'hname'  uuid: uuid_btrfs
	Total devices 1 FS bytes used 65.73GiB
	devid    1 size 236.87GiB used 81.02GiB path /dev/mapper/luks-uuid_luks1

What I was able to gather so far:

  1. sudo cryptsetup luksFormat /dev/sdb (and enter same password as for existing luks partition)
  2. sudo cryptsetup open /dev/sdb luks-uuid_luks2
  3. sudo btrfs device add /dev/mapper/luks-uuid_luks2 /
  4. sudo btrfs balance start -mconvert=raid1 / (I would like duplicated metadata on both drives.)
  5. How to modify crypttab? Directly in the file or through kargs or both? (Currently both contain reference to uuid_luks1.)
  6. How to modify fstab if at all? systemctl daemon-reload needed as stated in fstab?
  7. Any initramfs to regenerate? If yes, how?
  8. I remember reading somewhere that adding cryptsetup.target (or similar??) is needed somewhere so that systemd waits for both disks to be decrypted before continuing with boot. Do you maybe have more info on this?
  9. Anything else that I missed?

Thank you!

1 Like

I would suggest you create a GPT partition table on the unused drive, and create a partition for LUKS. While you can technically put LUKS on the bare drive without partitioning it first, it’s not common to do so.

Crypttab can be edited directly.
No need to edit fstab since mount is done by UUID.
I’m not certain about the kernel arguments piece.

Maybe there’s a step you need to have the new LUKS decrypt automatically with TPM (if you want that)…

Maybe you want to do a full btrfs rebalance so that your data ends up distributed more evenly.

The rest looks about right.

If you have doubts I suggest using a VM with two disks:

  1. Install to both disks using anaconda to see how anaconda would do it.
  2. Install to one disk, then practice your steps to add the 2nd disk manually.
1 Like

I’m not certain if initramfs needs to be updated. Maybe it does because it contains config in which LUKS things to open to unlock the root FS. Or maybe it doesn’t because that’s what the kernel argument does…

1 Like

Thanks @pauldoo for your help!

  • Indeed, it will be best to create a partition on the drive.
  • TPM unlock is set up already for the first drive, so I will have to set it up for the second as well, thanks for the reminder!
  • Data rebalance is also something I wanted, forgot to include it in the command.

I will also update the step list, but some points are still uncertain.

Can somebody please confirm the following:

  • kernel arguments and/or crypttab?
  • initramfs needs to be regenerated?
  • any change in systemd targets to wait for both disks to be decrypted?

Thank you!