dm-crypt/filesystems: automatic mounting

2025-04-03 15:27:45 +02:00 · 2023-01-07 19:39:02 +01:00 · 2023-01-07 19:39:02 +01:00 · 608b53adb1
commit 608b53adb1
parent 3b241bf94f
2 changed files with 114 additions and 31 deletions
--- a/wiki/linux/dm-crypt.md
+++ b/wiki/linux/dm-crypt.md
@ -1,44 +1,86 @@
 # DM-Crypt

-`dm-crypt` can create and manage encrypted devices.
+DM-Crypt can create and manage encrypted devices.

-## Creating an encrypted devices
+
+## Usage
+
+### Creating an Encrypted Devices

 To create a encrypted device simply run:
 `cryptsetup -y -v luksFormat /dev/sda2`.
-Where `/dev/sda2` is the device you want to create.
+Where `/dev/sda2` is the device to be created.

-## Open/Close an encrypted device
+### Create/Add a Key File to an encrypted volume

-To open and map a device run `cryptsetup luksOpen /dev/sda1 crypt0` where
-`/dev/sda1` is your encrypted device and `crypt0` is where it will be mapped to
-with `dev/mapper/crypt0`.
-Afterwards it can be closed by running `cryptsetup close /dev/mapper/crypt0`.
+First a key file has to be created.
+With the following lines a random file will be created that will later be used
+as the key file.
+If a key file already exists this part can be skipped.
+The following command needs to be adapted.
+It will create a key of bitlength 2048 (512 x 4).

-## Resize a LUKS encrypted volume
+```txt
+dd bs=512 count=4 if=/dev/random of=<path to destination>
+```

-If you have volume groups on the encrypted volume make sure to close them
-with the following command modified to your needs:
+It is possible to increase the length to get a stronger key file.
+Alternatively strong LUKS keys can be created using [OpenSSL](./openssl.md)
+using  a bitlength of 4096:
+`openssl genrsa -out <path to destination> 4096`.
+The key file will then be saved  to `<path to destination>`.
+
+Finally the key file can be added to an opened LUKS encrypted volume by running
+the following command:
+`cryptsetup luksAddKey <path to LUKS volume> <path to key file>`.
+
+`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`) and
+`<path to key file>` is the location of the key file.
+
+### Resize a LUKS Encrypted Volume
+
+If volume groups on the encrypted volume are opened make sure to close them
+with the following command modified to the present needs:
 `vgchange -a n <volume group>`

-Open the encrypted volume (assuming its stored at `/dev/sda2` and you map it
-to `crypt-volume`):
-`cryptsetup luksOpen /dev/sda2 crypt-volume`
+Open the encrypted volume:
+`cryptsetup luksOpen <path to LUKS volume> <mapper location>`.
+`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`) and
+`<mapper location>` is where it will be mapped to with `dev/mapper/` prepended.

 Now resize the encrypted volume to all available space of the partition.
-If you don't want to extend the encrypted volume to the whole partition
-or the partition is to small for your purposes, make sure to resize the
+If the encrypted volume should not be extended to the whole partition
+or the partition is too small for its intended purposes, make sure to resize the
 partition first accordingly (see [disk management](./disk-management.md)).
 `cryptsetup resize crypt-volume`

-## Creating an automatic decryption key with an USB stick
+### Open/Close an Encrypted Volume

-This guide assumes you to have an Arch Linux System, as installed in
+To open and map a device using a set password run
+`cryptsetup luksOpen <path to LUKS device> <mapper location>` where
+`<path to LUKS device>`  is the encrypted device (for example `/dev/sda2`) and
+`<mapper location>` is  where it will be mapped to with `dev/mapper/` prepended.
+Using `secret` as a `<map location>` the opened drive is available at
+`/dev/mapper/secret`.
+
+Alternatively an encrypted volume can be decrypted using
+[a key file](#createadd-a-key-file-to-an-encrypted-volume) if set up for it.
+This can be achieved by running:
+`cryptsetup luksOpen <path to LUKS volume> crypt-volume --key-file=<key file location>`.
+`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`).
+
+Afterwards it can be closed by running `cryptsetup close /dev/mapper/crypt0`.
+
+### Creating/Add a USB Decryption Key
+
+This guide assumes an Arch Linux System, as installed in
 [this wikis arch linux installation](./arch-linux/installation.md).
 This section is based on entries from the
 [arch linux forum](https://forum.archlinux.de/d/28886-systementschluesselung-per-usb-stick).
+It uses a similar technique to the decryption of the encrypted volume via
+[a key file](#createadd-a-key-file-to-an-encrypted-volume).

-Insert your USB stick.
+Insert the USB stick.
 This guide will assume its address is `/dev/sde`.

 Fill in the first sectors (in this case 94, make sure this number is bigger
@ -55,7 +97,7 @@ called `/dev/sda2`):

 Next it has to be made sure that the decryption key, is available at the same
 position every time.
-For this check the `serial` and `product` of your USB stick with the following
+For this check the `serial` and `product` of the USB stick with the following
 commands.

 ```sh
@ -64,7 +106,7 @@ udevadm info -a -p `udevadm info -q path -n /dev/sde` | grep ATTRS{product}
 ```

 The first line gives the `serial`, the second the `product`.
-The `product` should match your USB stick.
+The `product` should match the USB stick.

 After this create a file at `/etc/udev/rules.d/50-usbkey.rules` with the
 following content.
@ -80,6 +122,17 @@ Then reload the udev rules by running:
 Unplug the stick and plug it back in.
 It should be available under `dev/usbkey`.

+With the following command an encrypted device can be decrypted with the usb
+stick.
+Use this to confirm the correct setup of the decryption key and the encrypted
+device.
+Make sure to edit `--key-file`, `--keyfile-offset` and `--keyfile-size` to
+match the settings used in the creation of the USB key.
+
+```sh
+cryptsetup luksOpen /dev/sda2 crypt-volume --key-file=/dev/usbkey --keyfile-offset=14848 --keyfile-size=2048
+```
+
 After that make sure in `/etc/mkinitcpio.conf` under the `HOOKS` section
 `keymap encrypt lvm2` are written before `filesystems`.
 Add `/etc/udev/rules.d/50-usbkey.rules` under the `FILES` section.
@ -95,13 +148,30 @@ Reboot the system with `reboot`.
 Make sure the USB key for decryption is plugged in.
 If so the encrypted partition should be decrypted automatically.

-## Unlock an encrypted device with the USB key created in the previous section
+### Automatical Mounting of an Encrypted Volume

-With the following command an encrypted device can be decrypted with the usb
-stick created in the previous section.
-Make sure to edit `--key-file`, `--keyfile-offset` and `--keyfile-size` to
-match the settings used in the creation of the USB key.
+For automatic mounting of an encrypted volume a keyfile is needed.
+This will be achieved by entries in the file`/etc/fstab` aswell as the file
+`/etc/crypttab`.
+First adapt and insert the following lines into `/etc/fstab`:

-```sh
-cryptsetup luksOpen /dev/sda2 crypt-volume --key-file=/dev/usbkey --keyfile-offset=14848 --keyfile-size=2048
+```txt
+/dev/mapper/<mapping location>    <mount location>       ext4    defaults   0 0
 ```
+
+`<mapping location>` is a freely choosable identificator and while the
+`<mount location>` is an existing directory for the volume to be mounted on.
+
+Additionally the following lines has to be adapted and added to the file
+`/etc/crypttab`:
+
+```txt
+<mapping location>    UUID=<UUID of encrypted volume>           <location of key file>
+```
+
+`<mapping location>` has to be the same as chosen in the step before.
+`<UUID of encrypted volume>` is the
+[universally unique identifier](/wiki/linux/filesystems.md#universally-unique-identifier)
+of the volume.
+`<location of key file>` describes the location where to find the key file
+created in the previous step.
--- a/wiki/linux/filesystems.md
+++ b/wiki/linux/filesystems.md
@ -6,6 +6,9 @@ File systems control how data on a drive is stored.
  additionally be encrypted with [Bitlocker](./dislocker.md).
 - [Samba](./samba.md) is free windows interoperability software that is not a
  classic file system can be mounted so it will be mentioned here
+- [DM-Crypt] is an encryption service. Volumes encrypted with it follow a
+  special decryption process.
+

 ## Mounting

@ -27,11 +30,21 @@ its subfolders.
 For automatic mounting the following line has to be adapted and added to the
 file `/etc/fstab`
 `<specified partition>	<path to mount point>   <file system> <additional options>  <dump flag> <fsck order>`
-The partition can be specified by UUID - which can be found at
-`/dev/disk/by-uuid` or other identifiers aswell as the simple path to it (for
-example `/dev/sda1`).
+The partition can be specified by [UUID](#universally-unique-identifier).
 The file system varies and a file system specific guide on how to mount them
 can be found in their respective entries.
 The dump flag signals if the file system should be dumped.
 The `fsck` order signals if a file system should be checked at boot.
 Boot partitions should be flagged with a `1` for this reason, otherwise `0`.
+
+## Universally Unique identifier
+
+Universally Unique identifier (UUID) are identifiers for informations on
+computer systems.
+Most notably they are used to identify file systems.
+This way the UUID of a file system can be used to identify and
+[mount it](#mounting) persistently and correctly.
+
+By listing the directory `/dev/disk/by-partuuid` all mappings of devices to a
+UUID are displayed.
+