Hi Janek,

It took me a huge amount of reading to figure 2nd drive LUKS out (refs below).  In a nutshell you just need to know the UUID and the passphrase and you can get your system to basically mount and un-mount LUKS the same as it does any normal drive.

I only have my pidgen notes, so translate with the Refs :(  I’ve added companion commands in several places to show the name match-ups, so skip anything you’ve already done.  Do NOT copy/paste!  It’s so easy to wipe the wrong drive with all the sda, sdb, sdc’s...  And I found at least two of my own copy/pastes that had sdb instead of sda, so uhg...

Note:  I use sda mapping to lesda throughout for the below examples.  (My boot drive is nvme0n1 not the usual sda)

Note:  I don’t use partitions when LUKSing an entire drive (no point, wastes space).

!Note to everyone!  Seriously, if you haven’t read up on and understand LUKS, you will fubar your system by blindly following the below.

Assumptions:
- rootfs is LUKS
- swapfs is LUKS

First:
- Move Swap's keyfile to a safer place!
- I place all keyfiles in /root/.luks/

Then:

- Find the UUID
cryptsetup luksDump /dev/sda

- Generate a keyfile or passphrase file.
dd if=/dev/urandom of=/root/.luks/keyfile.sda bs=1024 count=4
echo “passphrase” >  /root/.luks/keyfile.sda
Note: Make sure your keyfile doesn't have a line feed (LF) anywhere in the file.  e.g. Never open it with Nano!

- Check the device with badblocks
blockdev --getbsz /dev/sda
badblocks -svn -b 4096 -e 1 /dev/sda

cryptsetup --key-file=/root/.luks/keyfile.sda luksOpen /dev/sda lesda
umount /dev/mapper/lesda
cryptsetup luksClose lesda

Note (for USB 3.1):
badblocks takes approximately 40 hours on a 6TB disk.
badblocks takes approximately 45 hours on a 9TB disk.
{no that doesn’t make sense to me either, different drive manufactures??}

- Wipe the device with crypto-grade randomness
cryptsetup open --type plain -d /dev/urandom /dev/sda to_be_wiped
dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=4M status=progress conv=fdatasync
cryptsetup luksClose to_be_wiped

- Create your file system
cryptsetup --key-file=/root/.luks/keyfile.sda luksOpen /dev/sda lesda
mkfs.ext4 /dev/mapper/lesda
mount /dev/mapper/lesda /media/michael/hdsda

- Check/Add sdX to auto-mount
# ll  /dev/disk/by-uuid/
{snip}
lrwxrwxrwx 1 root root   9 Nov  3 09:21 {huge UUID number} -> ../../sda

- ADD to /etc/crypttab
lesda /dev/disk/by-uuid/{huge UUID number} /root/.luks/keyfile.sda luks,nofail

- ADD to /etc/fstab
/dev/mapper/lesda /media/michael/hdsda ext4 defaults,noatime,nofail 1 2

- You can also Mount and UnMount as normal
mount /dev/mapper/lesda /media/michael/hdsda
umount /dev/mapper/lesda

# # #

I think that’s about it.

Best,
Michael

Commands:
## cryptsetup luksFormat <target device>
## cryptsetup luksDump <target device>
## cryptsetup luksOpen <target device> c1
## mkfs.ext4 /dev/mapper/vg_backup-backup
## {mount}
## cryptsetup luksAddKey /dev/sdb1 -S 5

Refs:
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
2.1 LUKS Container Setup mini-HOWTO
2.19 How can I wipe a device with crypto-grade randomness?

https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondary-hdd-in-linux/
https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubuntu-linux/
https://askubuntu.com/questions/918021/encrypted-custom-install
https://eve.gd/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/