@mark Sorry for the late response and thanks for describing your use case. It’s an interesting and logical one, to be sure.
I think it would be completely possible to have Zymkey manage LUKS keys for two separate volumes. The basic flow would go something like this:
- Kernel boots with initramfs
- initramfs mounts and hands over to encrypted rootfs
- /etc/fstab and /etc/crypttab describe other encrypted volumes. The rootfs key could be used or unique keys could be generated for each separate volume.
I would start with encrypting the rootfs with either the SD card conversion or the external USB migration script. Once you have that set up and booting, then you could encrypt your secondary external drive referring the external USB script as a guideline, then soft links could be set up on the encrypted rootfs environment to point to the important files or directories that live on the secondary drive.