Automatic mounting of encrypted partiton on external harddisk
April 16, 2014
For being on the safe side, after following the advice of two friends, I decided to use full encryption on the HD of my laptop. Since this is an SSD, and I’m a bit worried for the use, and also I want to have more storage, I also opted for an external 1TB HD. In order to be on the safe side I also decided to break the external HD to two partitions, one encrypted with ext4 for linux use, and more critical data, and one with vfat, for portability reasons, and less critical data (Monty pythons rips go to first partition 😉 ).
Since in such cases I have the manual mounting etc. I decided to make the process in such a way, that the when the HD is inserted, I will be automatically mounted to a proper locations, and ready to use. In order to achieve that I used LUKS with a key file. The process I used is the following.
- Create the two partitions on the HD. Both of them are primary partitions. I used gparted for this, although fdisk could be yalso sufficient. The HD is on /dev/sdb, and I created /dev/sdb1 as unallocated space and /dev/sdb2 as vfat partition.
- Create the LUKS encrypted volume.
mkdir -p /etc/keys head -c 256 /dev/randon > /etc/keys/externalhd cryptsetup open --type luks /dev/sdb1 externalhd --key-file /etc/keys/externalhd mkfs -t ext4 /dev/mapper/externalhd cryptsetup close --type luks externalhd
- Using blkid I got the UUID of the LUKS partition on the HD and added the corresponding line to /etc/crypttab
externalhd UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /etc/keys/externalhd luks,noauto,noearly,quiet
with this it is easy to have the disk decrypted by running cryptodisks_start externalhd
- From blkid I use the UUID of the ext4 partition inside to add to /etc/fstab
#for the external HD UUID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy" /media/external ext4 rw,noauto,nodev,nosuid,errors=remount-ro 0 0
therefore mount /media/external works like a charm
- The last part was to have the automount functionality. For this purpose I used udev to execute the commands when the external HD was attached. The first step is to get the information needed from udev to recognize the HD. The commands was
udevadm info -a -p $(udevadm info -q path -n /dev/sdb1)
after some poking to see what was the best combination, I created the following /etc/udev/rules.d/10-externalhd.rules
#external HD KERNEL=="sd?1", ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="lllll", ATTRS{idProduct}=="mmmm", ATTRS{serial}=="kkkkklllllmmmmm", RUN+="/usr/sbin/cryptdisks_start externalhd", RUN+="/bin/mount /media/external"
Now after unplugging and plugging back the HD and waiting a few seconds, I have it automount on /media/external and ready to use. Perhaps it is not the best solution, but it is something that seems to work. Some thoughts on different options
- I could use LVM on top of LUKS (as on the normal installation) and also have a vfat partition encrypted. But at the momend I didn’t bother much
- I should backup the LUKS superblock (this is done easilty with luksHeaderBackup)
- I should also add a key, and not rely only on the key file, So that I can mount the external HD to another machines if needed, or if my laptop SSD fails. This is easily done with luksAddKey
April 23, 2014 at 20:31
[…] the previous post I wanted to make it possible to automatically provide the vfat partition I have to the windows VM. […]