FjellOverflow The tutorial assumes you already have a LUKS-encrypted partition ready. If not, create one.
Recently, I faced a situation where connecting an encrypted partition to my home server became a challenge. Since the server occasionally reboots on its own, being physically present to decrypt and mount the drive isn’t always possible. I needed an automated solution, which turned out to be quite straightforward.
Prerequisite
As we make use of cryptsetup, we need to install it first.
# on Debian-based distributions
sudo apt install cryptsetup
# for other distributions, check documentation
To move forward, we require certain fixed values: $KEY_PATH, $DEVICE_UUID, $DEVICE_NAME, and $MOUNTPOINT. You can either manually input these or set them in your shell. The commands I provide will use these variables as they are.
# choose the path for your (new) decryption key
KEY_PATH="~/my_secret.key"
# the UUID of the encrypted device
# can use "lsblk -o NAME,SIZE,UUID" to find UUID
DEVICE_UUID="8709bcb3-b3cc-4469-bb1a-aedc2d66d33b"
# choose a name for the mapped device
DEVICE_NAME="encrypted-drive"
# choose a mountpoint for the decrypted partition
MOUNTPOINT="/encrypted"
Creating a decryption key
As we cannot enter the decryption password on site and also do not want to store a (cleartext) password on the machine, we will create a key.
dd if=/dev/urandom of="$KEY_PATH" bs=1024 count=4
chmod 400 "$KEY_PATH"
Note that you have the flexibility to create any key according to your preference, allowing for stronger security measures.
Adding the key to the encrypted partition
Add the newly generated key to the LUKS-encrypted partition.
sudo cryptsetup luksAddKey UUID="$DEVICE_UUID" "$KEY_PATH"
During the process, cryptsetup will prompt for any existing passphrases that decrypt the partition. Upon successful entry, the new key becomes operational for decrypting the device. We can verify this as follows:
# decrypt the device with the new key
sudo cryptsetup luksOpen UUID="$DEVICE_UUID" "$DEVICE_NAME" --key-file "$KEY_PATH"
# mount the decrypted device
sudo mount "$DEVICE_NAME" "$MOUNTPOINT"
Decrypt at boot
To automate the process just performed manually, add an entry to /etc/crypttab specifying the device name and key-file for the given UUID. This replicates the manual setup from the previous step, but during boot.
echo $DEVICE_NAME UUID=$DEVICE_UUID $KEY_PATH luks | sudo tee -a /etc/crypttab
This ensures the device is decrypted and mapped to the designated name automatically at boot, utilizing the provided key.
Automount decrypted partition
To enable automounting of the decrypted partition, add a new entry to /etc/fstab. Customize the options based on your preferences.
echo /dev/mapper/$DEVICE_NAME $MOUNTPOINT ext4 defaults 0 2 | sudo tee -a /etc/fstab
Upon boot, the encrypted and mapped partition will be automatically mounted at the specified location. Your setup is now complete!
A note on security
Having an encryption key stored on the device could potentially render the encryption ineffective; an attacker might simply extract the key from your device and employ it to decrypt the encrypted partition. The solution to this issue (or rather the only scenario where this configuration is reasonable) involves encrypting the device or partition where the key is located, which circles us back to the initial problem of my home server rebooting and demanding a user input password. However, in my specific use case, the necessity for an encrypted partition isn’t absolute; rather, encryption happens to be enabled, and removing it is a complex and time-consuming task. Instead of eliminating the encryption, I have chosen the aforementioned approach. This approach also grants me the option to delete the key or remove it from the encrypted partition to restore the security that LUKS provides for my drive.