User Tools

Site Tools


computing:encryption

  • encryption
  • Jonathan Haack
  • Haack's Networking
  • netcmnd@jonathanhaack.com

To use pam_mount to mount a LUKS crypt and map it to your home partition. Note: make sure the crypt password matches your user login password.

sudo apt-get install cryptsetup libpam-mount rsync
rsync -av /home /backup
umount /home/
cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX home
mkfs.xfs -L home /dev/mapper/home
mount /dev/mapper/home /home/
rsync -av /backup/home/ /home
sudo nano /etc/security/pam_mount.conf.xml
<volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>

To use pam_mount to mount a LUKS crypt to a non-home directory partition, then adjust as follows:

cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX vault
mkfs.xfs -L vault /dev/mapper/vault
mkdir /mnt/vault
mount /dev/mapper/vault /mnt/vault
sudo nano /etc/security/pam_mount.conf.xml
<volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/mnt/vault" options="noatime,exec,fsck,nodev,nosuid"/>

You may optionally mount the LUKS crypt manually as well. To do so, create a mount point, and then map the LUKS partion to your mount point.

mkdir /mnt/vault
mount /dev/mapper/vault /mnt/vault

After you reboot, the crypt will no longer be open, but your mount point will still be there, so you just need to open the LUKS crypt and then map the LUKS partition to your mount point again as follows:

cryptsetup luksOpen /dev/sdaX vault
mount /dev/mapper/vault /mnt/vault 

Users might also to prefer to use crypttab and fstab to handle the mounting and mapping. To do so, let's create a keyfile in a secure location that you can use to unlock the crypt.

sudo dd if=/dev/urandom of=/path/to/secure/location/vaultkey bs=512 count=8

Add the keyfile to the LUKS crypt so that it can be used to open the crypt:

sudo cryptsetup -v luksAddKey /dev/sdaX /path/to/secure/location/vaultkey

After adding the key to the crypt, let's now grab the UUID of the crypt.

sudo cryptsetup luksDump /dev/sdaX | grep "UUID"

Now that we have the UUID of the crypt, we can add a reliable crypttab entry for the crypt.

sudo nano /etc/crypttab
<sdaX_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>

Now that crypttab is setup, this means you you can open the crypt as follows.

sudo cryptdisks_start sdaX_crypt

If you want, however, the crypt to mount on its own, then add an entry to fstab as well.

sudo nano /etc/fstab
</dev/mapper/sdaX_crypt /media/vault     xfs    defaults      0     2>

Okay, your LUKS crypt should now be open and mapped to your mount point at boot. Since Debian 12, there's an error that states “HXproc_run_async: pmvarrun: No such file or directory.” This is caused by regular users' shell not having /usr/sbin in their path. To fix this, add the following to your config:

sudo nano /etc/security/pam_mount.conf.xml
<pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>

oemb1905 2024/01/29 18:01

computing/encryption.txt · Last modified: 2024/01/29 18:20 by oemb1905