Differences

This shows you the differences between two versions of the page.

--- computing:encryption [2024/01/29 18:01] – oemb1905
+++ computing:encryption [2025/03/09 18:11] (current) – oemb1905
@@ Line 7: / Line 7: @@
 -------------------------------------------
-Creating a encrypted partition for your workstation using cryptsetup.
+To use pam_mount to mount a LUKS crypt and map it to your home partition. Note: make sure the crypt password matches your user login password.
+  sudo apt-get install cryptsetup libpam-mount rsync
+  rsync -av /home /backup
+  umount /home/
+  cryptsetup luksFormat /dev/sdaX
+  cryptsetup luksOpen /dev/sdaX home
+  mkfs.xfs -L home /dev/mapper/home
+  mount /dev/mapper/home /home/
+  rsync -av /backup/home/ /home
+  sudo nano /etc/security/pam_mount.conf.xml
+  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
+To use pam_mount to mount a LUKS crypt to a non-home directory partition, then adjust as follows:
-  sudo apt-get install cryptsetup libpam-mount
   cryptsetup luksFormat /dev/sdaX
   cryptsetup luksOpen /dev/sdaX vault
   mkfs.xfs -L vault /dev/mapper/vault
+  mkdir /mnt/vault
+  mount /dev/mapper/vault /mnt/vault
+  sudo nano /etc/security/pam_mount.conf.xml
+  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/mnt/vault" options="noatime,exec,fsck,nodev,nosuid"/>
-To manually mount the vault, you can perform:
+You may optionally mount the LUKS crypt manually as well. To do so, create a mount point, and then map the LUKS partion to your mount point.
   mkdir /mnt/vault
   mount /dev/mapper/vault /mnt/vault
-After you reboot, the crypt will no longer be open, so you will need to open it first before mounting
+After you reboot, the crypt will no longer be open, but your mount point will still be there, so you just need to open the LUKS crypt and then map the LUKS partition to your mount point again as follows:
   cryptsetup luksOpen /dev/sdaX vault
   mount /dev/mapper/vault /mnt/vault
-Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot.  First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):
+Users might also to prefer to use crypttab and fstab to handle the mounting and mapping. To do so, let's create a keyfile in a secure location that you can use to unlock the crypt.
-  sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8
+  sudo dd if=/dev/urandom of=/path/to/secure/location/vaultkey bs=512 count=8
-Add the keyfile to the crypt so that it can be used to open the crypt:
+Add the keyfile to the LUKS crypt so that it can be used to open the crypt:
-  sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey
+  sudo cryptsetup -v luksAddKey /dev/sdaX /path/to/secure/location/vaultkey
-Now, we need to get the partition's block identifier, to use in crypttab and fstab because it is more reliable than the name.  Do this as follows:
+After adding the key to the crypt, let's now grab the UUID of the crypt.
-  sudo cryptsetup luksDump /dev/sdb1 | grep "UUID"
+  sudo cryptsetup luksDump /dev/sdaX | grep "UUID"
-Open crypttab up, and add the example below, adjusting as necessary.
+Now that we have the UUID of the crypt, we can add a reliable crypttab entry for the crypt.
   sudo nano /etc/crypttab
-  <sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
+  <sdaX_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
-Now that crypttab is setup, this means you you can open the crypt as follows:
+Now that crypttab is setup, this means you you can open the crypt as follows.
-  sudo cryptdisks_start sdb1_crypt
+  sudo cryptdisks_start sdaX_crypt
-But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:
+If you want, however, the crypt to mount on its own, then add an entry to fstab as well.
   sudo nano /etc/fstab
-  </dev/mapper/sdb1_crypt /media/vault     xfs    defaults      0     2>
+  </dev/mapper/sdaX_crypt /media/vault     xfs    defaults      0     2>
-Alternately, you may want to let pam_mount manage the crypt mounting and/or map the crypt to your home partition. If you do this, make sure the crypt password matches your user login password.
+Okay, your LUKS crypt should now be open and mapped to your mount point at boot. Since Debian 12, there's an error that states "HXproc_run_async: pmvarrun: No such file or directory." This is caused by regular users' shell not having /usr/sbin in their path. To fix this, specify the path in the config. I specified mine underneath ''<mntoptions require="nosuid,nodev" />'':
-  rsync -av /home /backup
-  umount /home/
-  cryptsetup luksFormat /dev/sdaX
-  cryptsetup luksOpen /dev/sdaX home
-  mkfs.xfs -L home /dev/mapper/home
-  mount /dev/mapper/home /home/
-  rsync -av /backup/home/ /home
-  sudo nano /etc/security/pam_mount.conf.xml
-  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
-Remove the error "HXproc_run_async: pmvarrun: No such file or directory" by declaring /usr/sbin path for regular users.
   sudo nano /etc/security/pam_mount.conf.xml
   <pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
+ --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/29 18:01//
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/29 17:55//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools