User Tools

Site Tools


computing:encryption

  • encryption
  • Jonathan Haack
  • Haack's Networking
  • netcmnd@jonathanhaack.com

Creating a encrypted partition for your workstation using cryptsetup.

sudo apt-get install cryptsetup libpam-mount
cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX vault
mkfs.xfs -L vault /dev/mapper/vault

To manually mount the vault, you can perform:

mkdir /mnt/vault
mount /dev/mapper/vault /mnt/vault

After you reboot, the crypt will no longer be open, so you will need to open it first before mounting

cryptsetup luksOpen /dev/sdaX vault
mount /dev/mapper/vault /mnt/vault 

Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot. First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):

sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8

Add the keyfile to the crypt so that it can be used to open the crypt:

sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey

Now, we need to get the partition's block identifier, to use in crypttab and fstab because it is more reliable than the name. Do this as follows:

sudo cryptsetup luksDump /dev/sdb1 | grep "UUID"

Open crypttab up, and add the example below, adjusting as necessary.

sudo nano /etc/crypttab
<sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>

Now that crypttab is setup, this means you you can open the crypt as follows:

sudo cryptdisks_start sdb1_crypt

But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:

sudo nano /etc/fstab
</dev/mapper/sdb1_crypt /media/vault     xfs    defaults      0     2>

Okay, reboot and test. If it fails, boot into recovery mode and comment out the fstab entry until you get everything set up properly.

oemb1905 2019/07/20 06:49

computing/encryption.txt · Last modified: 2020/07/24 11:53 by oemb1905