dm-crypt/filesystems: automatic mounting

master
tiyn 2 years ago
parent 3b241bf94f
commit 608b53adb1

@ -1,44 +1,86 @@
# DM-Crypt # DM-Crypt
`dm-crypt` can create and manage encrypted devices. DM-Crypt can create and manage encrypted devices.
## Creating an encrypted devices
## Usage
### Creating an Encrypted Devices
To create a encrypted device simply run: To create a encrypted device simply run:
`cryptsetup -y -v luksFormat /dev/sda2`. `cryptsetup -y -v luksFormat /dev/sda2`.
Where `/dev/sda2` is the device you want to create. Where `/dev/sda2` is the device to be created.
## Open/Close an encrypted device ### Create/Add a Key File to an encrypted volume
To open and map a device run `cryptsetup luksOpen /dev/sda1 crypt0` where First a key file has to be created.
`/dev/sda1` is your encrypted device and `crypt0` is where it will be mapped to With the following lines a random file will be created that will later be used
with `dev/mapper/crypt0`. as the key file.
Afterwards it can be closed by running `cryptsetup close /dev/mapper/crypt0`. If a key file already exists this part can be skipped.
The following command needs to be adapted.
It will create a key of bitlength 2048 (512 x 4).
```txt
dd bs=512 count=4 if=/dev/random of=<path to destination>
```
It is possible to increase the length to get a stronger key file.
Alternatively strong LUKS keys can be created using [OpenSSL](./openssl.md)
using a bitlength of 4096:
`openssl genrsa -out <path to destination> 4096`.
The key file will then be saved to `<path to destination>`.
Finally the key file can be added to an opened LUKS encrypted volume by running
the following command:
`cryptsetup luksAddKey <path to LUKS volume> <path to key file>`.
`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`) and
`<path to key file>` is the location of the key file.
## Resize a LUKS encrypted volume ### Resize a LUKS Encrypted Volume
If you have volume groups on the encrypted volume make sure to close them If volume groups on the encrypted volume are opened make sure to close them
with the following command modified to your needs: with the following command modified to the present needs:
`vgchange -a n <volume group>` `vgchange -a n <volume group>`
Open the encrypted volume (assuming its stored at `/dev/sda2` and you map it Open the encrypted volume:
to `crypt-volume`): `cryptsetup luksOpen <path to LUKS volume> <mapper location>`.
`cryptsetup luksOpen /dev/sda2 crypt-volume` `<path to LUKS device>` is the encrypted device (for example `/dev/sda2`) and
`<mapper location>` is where it will be mapped to with `dev/mapper/` prepended.
Now resize the encrypted volume to all available space of the partition. Now resize the encrypted volume to all available space of the partition.
If you don't want to extend the encrypted volume to the whole partition If the encrypted volume should not be extended to the whole partition
or the partition is to small for your purposes, make sure to resize the or the partition is too small for its intended purposes, make sure to resize the
partition first accordingly (see [disk management](./disk-management.md)). partition first accordingly (see [disk management](./disk-management.md)).
`cryptsetup resize crypt-volume` `cryptsetup resize crypt-volume`
## Creating an automatic decryption key with an USB stick ### Open/Close an Encrypted Volume
This guide assumes you to have an Arch Linux System, as installed in To open and map a device using a set password run
`cryptsetup luksOpen <path to LUKS device> <mapper location>` where
`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`) and
`<mapper location>` is where it will be mapped to with `dev/mapper/` prepended.
Using `secret` as a `<map location>` the opened drive is available at
`/dev/mapper/secret`.
Alternatively an encrypted volume can be decrypted using
[a key file](#createadd-a-key-file-to-an-encrypted-volume) if set up for it.
This can be achieved by running:
`cryptsetup luksOpen <path to LUKS volume> crypt-volume --key-file=<key file location>`.
`<path to LUKS device>` is the encrypted device (for example `/dev/sda2`).
Afterwards it can be closed by running `cryptsetup close /dev/mapper/crypt0`.
### Creating/Add a USB Decryption Key
This guide assumes an Arch Linux System, as installed in
[this wikis arch linux installation](./arch-linux/installation.md). [this wikis arch linux installation](./arch-linux/installation.md).
This section is based on entries from the This section is based on entries from the
[arch linux forum](https://forum.archlinux.de/d/28886-systementschluesselung-per-usb-stick). [arch linux forum](https://forum.archlinux.de/d/28886-systementschluesselung-per-usb-stick).
It uses a similar technique to the decryption of the encrypted volume via
[a key file](#createadd-a-key-file-to-an-encrypted-volume).
Insert your USB stick. Insert the USB stick.
This guide will assume its address is `/dev/sde`. This guide will assume its address is `/dev/sde`.
Fill in the first sectors (in this case 94, make sure this number is bigger Fill in the first sectors (in this case 94, make sure this number is bigger
@ -55,7 +97,7 @@ called `/dev/sda2`):
Next it has to be made sure that the decryption key, is available at the same Next it has to be made sure that the decryption key, is available at the same
position every time. position every time.
For this check the `serial` and `product` of your USB stick with the following For this check the `serial` and `product` of the USB stick with the following
commands. commands.
```sh ```sh
@ -64,7 +106,7 @@ udevadm info -a -p `udevadm info -q path -n /dev/sde` | grep ATTRS{product}
``` ```
The first line gives the `serial`, the second the `product`. The first line gives the `serial`, the second the `product`.
The `product` should match your USB stick. The `product` should match the USB stick.
After this create a file at `/etc/udev/rules.d/50-usbkey.rules` with the After this create a file at `/etc/udev/rules.d/50-usbkey.rules` with the
following content. following content.
@ -80,6 +122,17 @@ Then reload the udev rules by running:
Unplug the stick and plug it back in. Unplug the stick and plug it back in.
It should be available under `dev/usbkey`. It should be available under `dev/usbkey`.
With the following command an encrypted device can be decrypted with the usb
stick.
Use this to confirm the correct setup of the decryption key and the encrypted
device.
Make sure to edit `--key-file`, `--keyfile-offset` and `--keyfile-size` to
match the settings used in the creation of the USB key.
```sh
cryptsetup luksOpen /dev/sda2 crypt-volume --key-file=/dev/usbkey --keyfile-offset=14848 --keyfile-size=2048
```
After that make sure in `/etc/mkinitcpio.conf` under the `HOOKS` section After that make sure in `/etc/mkinitcpio.conf` under the `HOOKS` section
`keymap encrypt lvm2` are written before `filesystems`. `keymap encrypt lvm2` are written before `filesystems`.
Add `/etc/udev/rules.d/50-usbkey.rules` under the `FILES` section. Add `/etc/udev/rules.d/50-usbkey.rules` under the `FILES` section.
@ -95,13 +148,30 @@ Reboot the system with `reboot`.
Make sure the USB key for decryption is plugged in. Make sure the USB key for decryption is plugged in.
If so the encrypted partition should be decrypted automatically. If so the encrypted partition should be decrypted automatically.
## Unlock an encrypted device with the USB key created in the previous section ### Automatical Mounting of an Encrypted Volume
With the following command an encrypted device can be decrypted with the usb For automatic mounting of an encrypted volume a keyfile is needed.
stick created in the previous section. This will be achieved by entries in the file`/etc/fstab` aswell as the file
Make sure to edit `--key-file`, `--keyfile-offset` and `--keyfile-size` to `/etc/crypttab`.
match the settings used in the creation of the USB key. First adapt and insert the following lines into `/etc/fstab`:
```sh ```txt
cryptsetup luksOpen /dev/sda2 crypt-volume --key-file=/dev/usbkey --keyfile-offset=14848 --keyfile-size=2048 /dev/mapper/<mapping location> <mount location> ext4 defaults 0 0
```
`<mapping location>` is a freely choosable identificator and while the
`<mount location>` is an existing directory for the volume to be mounted on.
Additionally the following lines has to be adapted and added to the file
`/etc/crypttab`:
```txt
<mapping location> UUID=<UUID of encrypted volume> <location of key file>
``` ```
`<mapping location>` has to be the same as chosen in the step before.
`<UUID of encrypted volume>` is the
[universally unique identifier](/wiki/linux/filesystems.md#universally-unique-identifier)
of the volume.
`<location of key file>` describes the location where to find the key file
created in the previous step.

@ -6,6 +6,9 @@ File systems control how data on a drive is stored.
additionally be encrypted with [Bitlocker](./dislocker.md). additionally be encrypted with [Bitlocker](./dislocker.md).
- [Samba](./samba.md) is free windows interoperability software that is not a - [Samba](./samba.md) is free windows interoperability software that is not a
classic file system can be mounted so it will be mentioned here classic file system can be mounted so it will be mentioned here
- [DM-Crypt] is an encryption service. Volumes encrypted with it follow a
special decryption process.
## Mounting ## Mounting
@ -27,11 +30,21 @@ its subfolders.
For automatic mounting the following line has to be adapted and added to the For automatic mounting the following line has to be adapted and added to the
file `/etc/fstab` file `/etc/fstab`
`<specified partition> <path to mount point> <file system> <additional options> <dump flag> <fsck order>` `<specified partition> <path to mount point> <file system> <additional options> <dump flag> <fsck order>`
The partition can be specified by UUID - which can be found at The partition can be specified by [UUID](#universally-unique-identifier).
`/dev/disk/by-uuid` or other identifiers aswell as the simple path to it (for
example `/dev/sda1`).
The file system varies and a file system specific guide on how to mount them The file system varies and a file system specific guide on how to mount them
can be found in their respective entries. can be found in their respective entries.
The dump flag signals if the file system should be dumped. The dump flag signals if the file system should be dumped.
The `fsck` order signals if a file system should be checked at boot. The `fsck` order signals if a file system should be checked at boot.
Boot partitions should be flagged with a `1` for this reason, otherwise `0`. Boot partitions should be flagged with a `1` for this reason, otherwise `0`.
## Universally Unique identifier
Universally Unique identifier (UUID) are identifiers for informations on
computer systems.
Most notably they are used to identify file systems.
This way the UUID of a file system can be used to identify and
[mount it](#mounting) persistently and correctly.
By listing the directory `/dev/disk/by-partuuid` all mappings of devices to a
UUID are displayed.

Loading…
Cancel
Save