Automatic mounting of encrypted partiton on external harddisk

April 16, 2014

For being on the safe side, after following the advice of two friends, I decided to use full encryption on the HD of my laptop. Since this is an SSD, and I’m a bit worried for the use, and also I want to have more storage, I also opted for an external 1TB HD. In order to be on the safe side I also decided to break the external HD to two partitions, one encrypted with ext4 for linux use, and more critical data, and one with vfat, for portability reasons, and less critical data (Monty pythons rips go to first partition 😉 ).

Since in such cases I have the manual mounting etc. I decided to make the process in such a way, that the when the HD is inserted, I will be automatically mounted to a proper locations, and ready to use. In order to achieve that I used LUKS with a key file. The process I used is the following.

1. Create the two partitions on the HD. Both of them are primary partitions. I used gparted for this, although fdisk could be yalso sufficient. The HD is on /dev/sdb, and I created /dev/sdb1 as unallocated space and /dev/sdb2 as vfat partition.
2. Create the LUKS encrypted volume.

   mkdir -p /etc/keys
   head -c 256 /dev/randon > /etc/keys/externalhd
   cryptsetup open --type luks /dev/sdb1 externalhd --key-file /etc/keys/externalhd
   mkfs -t ext4 /dev/mapper/externalhd
   cryptsetup close --type luks externalhd
   

3. Using blkid I got the UUID of the LUKS partition on the HD and added the corresponding line to /etc/crypttab

   externalhd UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /etc/keys/externalhd luks,noauto,noearly,quiet

   with this it is easy to have the disk decrypted by running cryptodisks_start externalhd

4. From blkid I use the UUID of the ext4 partition inside to add to /etc/fstab

   #for the external HD
   UUID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy"    /media/external        ext4    rw,noauto,nodev,nosuid,errors=remount-ro 0 0

   therefore mount /media/external works like a charm

5. The last part was to have the automount functionality. For this purpose I used udev to execute the commands when the external HD was attached. The first step is to get the information needed from udev to recognize the HD. The commands was

   udevadm info -a -p $(udevadm info -q path -n /dev/sdb1)

   after some poking to see what was the best combination, I created the following /etc/udev/rules.d/10-externalhd.rules

   #external HD
   KERNEL=="sd?1", ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="lllll", ATTRS{idProduct}=="mmmm", ATTRS{serial}=="kkkkklllllmmmmm", RUN+="/usr/sbin/cryptdisks_start externalhd", RUN+="/bin/mount /media/external"

Now after unplugging and plugging back the HD and waiting a few seconds, I have it automount on /media/external and ready to use. Perhaps it is not the best solution, but it is something that seems to work. Some thoughts on different options

• I could use LVM on top of LUKS (as on the normal installation) and also have a vfat partition encrypted. But at the momend I didn’t bother much
• I should backup the LUKS superblock (this is done easilty with luksHeaderBackup)
• I should also add a key, and not rely only on the key file, So that I can mount the external HD to another machines if needed, or if my laptop SSD fails. This is easily done with luksAddKey