A Linux Playground

My doodles and what I get up to.

Setup Automatic Mounting of Encrypted Luks Partitions

Why have an encrypted partition

It is a modern day habit to run much of your life through a computer today. This means online banking, social media, personal photos, etc. Much of this leave data stored on the hard drive of the machine you have used accessable to anyone with a little computer know how. In the wrong hands this can be very valuble information. s

Unfortunately modern operating systems do not encrypt data by default. The password login screen is just that a login screen to a running computer. It lulls people into thinking their data is safe behind their password. This a false sense of security however as the data can be access using a simple linux live disk.

The solution to this is to encrypt your hard drive. With Debian and clones this is very simply done when setting up the computer.

Automatic Mounting

Mounting an encrypted partition automatically can be very useful when needing to mount many different drives that use encryption but only want to enter one pass-phrase.

The first step in doing this is to create a random keyfile to be used to as the decryption key. This can then be stored securely on one encrypted drive that the user enters the pass-phrase for at boot and decrypts the other drives. An inportant security step is to ensure only root can read the file. This prevent mistakens change to the file.

1
2
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo chmod 0400 /root/keyfile

The next step is to add the key file to the luks container. This will require a current pass-phrase keyfile for the container. Once successful it will return ‘OK.’

1
sudo cryptsetup luksAddKey  /dev/sdX /root/keyfile

The next step is to automatically mount the encrypted drive. The first bit sets up the drive to be automatically decrypted and mapped to a device mapper. The second is an addition to fstab that mounts the mapper to a file system mount point. Edit the file /etc/crypttab and add a new entry like the following: {Name of mapper} {disk/block device mapper} {none for pass-phrase or keyfile location} {container type - generally luks}

1
storage    /dev/md0  /root/keyfile  luks

Lastly add a new line to /etc/fstab that will mount the created mapper.

1
/dev/mapper/<mappername> <mountlocation>  <file system type - ext4> defaults 0  0

This will automatically mount the raid device. Note the encryption of the system is only as secure as the ability of people to access the keyfile. I recommend using a linux system with encrypted OS disk which requires a pass-phrase so that the keyfile is not stored in plain text ever.