This is an old revision of the document!
- encryption
- Jonathan Haack
- Haack's Networking
- netcmnd@jonathanhaack.com
Creating a encrypted partition for your workstation using cryptsetup.
sudo apt-get install cryptsetup libpam-mount cryptsetup luksFormat /dev/sdaX cryptsetup luksOpen /dev/sdaX vault mkfs.xfs -L vault /dev/mapper/vault
To manually mount the vault, you can perform:
mkdir /mnt/vault mount /dev/mapper/vault /mnt/vault
After you reboot, the crypt will no longer be open, so you will need to open it first before mounting
cryptsetup luksOpen /dev/sdaX vault mount /dev/mapper/vault /mnt/vault
Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot. First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):
sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8
Add the keyfile to the crypt so that it can be used to open the crypt:
sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey
Now, we need to get the partition's block identifier, to use in crypttab and fstab because it is more reliable than the name. Do this as follows:
sudo cryptsetup luksDump /dev/sdb1 | grep "UUID"
Open crypttab up, and add the example below, adjusting as necessary.
sudo nano /etc/crypttab <sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
Now that crypttab is setup, this means you you can open the crypt as follows:
sudo cryptdisks_start sdb1_crypt
But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:
sudo nano /etc/fstab </dev/mapper/sdb1_crypt /media/vault xfs defaults 0 2>
Alternately, you may want to let pam_mount manage the crypt mounting and/or map the crypt to your home partition. If you do this, make sure the crypt password matches your user login password.
rsync -av /home /backup umount /home/ cryptsetup luksFormat /dev/sdaX cryptsetup luksOpen /dev/sdaX home mkfs.xfs -L home /dev/mapper/home mount /dev/mapper/home /home/ rsync -av /backup/home/ /home sudo nano /etc/security/pam_mount.conf.xml <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
Remove the error “HXproc_run_async: pmvarrun: No such file or directory” by declaring /usr/sbin path for regular users.
sudo nano /etc/security/pam_mount.conf.xml <pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
— oemb1905 2024/01/29 17:55
