#freesoftware #debian #encryption #luks This tutorial is designed to help folks set up an encrypted partition on Debian GNU/Linux and, optionally, to mount that crypt at the time of boot. I am copying and pasting the tutorial below as of today’s date, but as always, please note that these are entries that I live update on Haack’s Wiki.
Creating a encrypted partition for your workstation using cryptsetup. cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX vault
mkfs.xfs -L vault /dev/mapper/vault
To manually mount the vault, you can perform:
mkdir /mnt/vault
mount /dev/mapper/vault /mnt/vault
After you reboot, the crypt will no longer be open, so you will need to open it first before mounting
cryptsetup luksOpen /dev/sdaX vault
mount /dev/mapper/vault /mnt/vault
Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot. First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):
sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8
Add the keyfile to the crypt so that it can be used to open the crypt:
sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey
Now, we need to get the partition’s block identifier, to use in crypttab and fstab because it is more reliable than the name. Do this as follows:
sudo cryptsetup luksDump /dev/sdb1 | grep “UUID”
Open crypttab up, and add the example below, adjusting as necessary.
sudo nano /etc/crypttab
<sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
Now that crypttab is setup, this means you you can open the crypt as follows:
sudo cryptdisks_start sdb1_crypt
But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:
sudo nano /etc/fstab
</dev/mapper/sdb1_crypt /media/vault xfs defaults 0 2>
Okay, reboot and test. If it fails, boot into recovery mode and comment out the fstab entry until you get everything set up properly. Happy haacking …