User Tools

Site Tools


computing:encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
computing:encryption [2019/07/20 13:00] oemb1905computing:encryption [2024/01/29 18:20] (current) oemb1905
Line 1: Line 1:
- 
 ------------------------------------------- -------------------------------------------
   * **encryption**    * **encryption** 
Line 8: Line 7:
 ------------------------------------------- -------------------------------------------
  
-Creating encrypted partition for your workstation using cryptsetup.  +To use pam_mount to mount LUKS crypt and map it to your home partition. Note: make sure the crypt password matches your user login password. 
 + 
 +  sudo apt-get install cryptsetup libpam-mount rsync 
 +  rsync -av /home /backup 
 +  umount /home/ 
 +  cryptsetup luksFormat /dev/sdaX 
 +  cryptsetup luksOpen /dev/sdaX home 
 +  mkfs.xfs -L home /dev/mapper/home 
 +  mount /dev/mapper/home /home/ 
 +  rsync -av /backup/home/ /home 
 +  sudo nano /etc/security/pam_mount.conf.xml 
 +  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/> 
 +   
 +To use pam_mount to mount a LUKS crypt to a non-home directory partition, then adjust as follows: 
   cryptsetup luksFormat /dev/sdaX   cryptsetup luksFormat /dev/sdaX
   cryptsetup luksOpen /dev/sdaX vault   cryptsetup luksOpen /dev/sdaX vault
   mkfs.xfs -L vault /dev/mapper/vault   mkfs.xfs -L vault /dev/mapper/vault
 +  mkdir /mnt/vault
 +  mount /dev/mapper/vault /mnt/vault
 +  sudo nano /etc/security/pam_mount.conf.xml
 +  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/mnt/vault" options="noatime,exec,fsck,nodev,nosuid"/>
      
-To manually mount the vaultyou can perform:+You may optionally mount the LUKS crypt manually as well. To do socreate a mount point, and then map the LUKS partion to your mount point.
      
   mkdir /mnt/vault   mkdir /mnt/vault
   mount /dev/mapper/vault /mnt/vault   mount /dev/mapper/vault /mnt/vault
  
-After you reboot, the crypt will no longer be open, so you will need to open it first before mounting+After you reboot, the crypt will no longer be open, but your mount point will still be there, so you just need to open the LUKS crypt and then map the LUKS partition to your mount point again as follows:
  
   cryptsetup luksOpen /dev/sdaX vault   cryptsetup luksOpen /dev/sdaX vault
   mount /dev/mapper/vault /mnt/vault    mount /dev/mapper/vault /mnt/vault 
  
-Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):+Users might also to prefer to use crypttab and fstab to handle the mounting and mappingTo do solet'create a keyfile in a secure location that you can use to unlock the crypt.
  
-  sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8+  sudo dd if=/dev/urandom of=/path/to/secure/location/vaultkey bs=512 count=8
  
-Add the keyfile to the crypt so that it can be used to open the crypt:+Add the keyfile to the LUKS crypt so that it can be used to open the crypt:
  
-  sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey+  sudo cryptsetup -v luksAddKey /dev/sdaX /path/to/secure/location/vaultkey
      
-Now, we need to get the partition'block identifier, to use in crypttab and fstab because it is more reliable than the name Do this as follows:+After adding the key to the crypt, let'now grab the UUID of the crypt.
  
-  sudo cryptsetup luksDump /dev/sdb1 | grep "UUID"+  sudo cryptsetup luksDump /dev/sdaX | grep "UUID"
      
-Open crypttab upand add the example below, adjusting as necessary.+Now that we have the UUID of the cryptwe can add a reliable crypttab entry for the crypt.
      
   sudo nano /etc/crypttab   sudo nano /etc/crypttab
-  <sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>+  <sdaX_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
      
-Now that crypttab is setup, this means you you can open the crypt as follows:+Now that crypttab is setup, this means you you can open the crypt as follows.
  
-  sudo cryptdisks_start sdb1_crypt+  sudo cryptdisks_start sdaX_crypt
      
-Butsince this only opens it and does not mount ityou will need to add an entry to fstab similar to the one provided below:+If you wanthoweverthe crypt to mount on its own, then add an entry to fstab as well.
  
   sudo nano /etc/fstab   sudo nano /etc/fstab
-  </dev/mapper/sdb1_crypt /media/vault     xfs    defaults      0     2>+  </dev/mapper/sdaX_crypt /media/vault     xfs    defaults      0     2>
      
-Okay, reboot and test If it failsboot into recovery mode and comment out the fstab entry until you get everything set up properly.+Okay, your LUKS crypt should now be open and mapped to your mount point at bootSince Debian 12there's an error that states "HXproc_run_async: pmvarrun: No such file or directory." This is caused by regular users' shell not having /usr/sbin in their path. To fix this, add the following to your config: 
 + 
 +  sudo nano /etc/security/pam_mount.conf.xml 
 +  <pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
  
- --- //[[netcmnd@jonathanhaack.com|oemb1905]] 2019/07/20 06:49//+ --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/29 18:01//
computing/encryption.1563627615.txt.gz · Last modified: 2019/07/20 13:00 by oemb1905