Encryption Basics

#debian #encryption #luks This tutorial is designed to help folks set up an encrypted partition on Debian GNU/Linux and, optionally, to mount that crypt at the time of boot. I am copying and pasting the tutorial below as of today’s date, but as always, please note that these are entries that I live update on Haack’s Wiki.

Creating a encrypted partition for your workstation using cryptsetup.
cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX vault
mkfs.xfs -L vault /dev/mapper/vault

To manually mount the vault, you can perform:

mkdir /mnt/vault
mount /dev/mapper/vault /mnt/vault

After you reboot, the crypt will no longer be open, so you will need to open it first before mounting

cryptsetup luksOpen /dev/sdaX vault
mount /dev/mapper/vault /mnt/vault

Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot. First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):

sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8

Add the keyfile to the crypt so that it can be used to open the crypt:

sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey

Now, we need to get the partition’s block identifier, to use in crypttab and fstab because it is more reliable than the name. Do this as follows:

sudo cryptsetup luksDump /dev/sdb1 | grep “UUID”

Open crypttab up, and add the example below, adjusting as necessary.

sudo nano /etc/crypttab
<sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>

Now that crypttab is setup, this means you you can open the crypt as follows:

sudo cryptdisks_start sdb1_crypt

But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:

sudo nano /etc/fstab
</dev/mapper/sdb1_crypt /media/vault xfs defaults 0 2>

Okay, reboot and test. If it fails, boot into recovery mode and comment out the fstab entry until you get everything set up properly. Happy haacking …

Leave a Reply

Your email address will not be published. Required fields are marked *

JavaScript licenses