Need advice on automounting LUKS drive on boot

Sojiro84 · March 9, 2022, 8:34am

I have done some research and want to have my settings checked before doing them, since if I mess up, my system wont boot.

I have 3 disks that are LUKS encrypted and I want to have them unlocked and mounted when I boot my system.

Is what I have now correct?

In “/etc/crypttab” I want to add the following:

Data_01 UUID=… /home/sojiro/luks.key timeout=180
Data_02 UUID=… /home/sojiro/luks.key timeout=180
Data_03 UUID=… /home/sojiro/luks.key timeout=180

I am not sure if it safe to paste a UUID here, so I removed them, but the UUID that I have filled in, is the “crypto_LUKS” UUID before the drive is unlocked. The DATA_01 is the name I want to use for that disk.

In /etc/fstab I want to have it look like this:

/dev/mapper/luks-numbershere / ext4 defaults,noatime 0 1
/dev/mapper/Data_01 /mnt/Data_01 ext4 defaults,noatime 0 2
/dev/mapper/Data_02 /mnt/Data_02 ext4 defaults,noatime 0 3
/dev/mapper/Data_03 /mnt/Data_03 ext4 defaults,noatime 0 4

The first one is my main partition and then the three below it are my data disks. I want the disk mounted at “/mnt/Data_01”.

If I read Arch right I dont have to specify “sda1” as a disk name since I use the UUID, and later on I can use “/dev/mapper/Data_01” since I have assigned that “Data_01” as a name earlier in crypttab.

Does it look right?

And what does “noatime 0 1” mean? I assume the 1 at the and is the order therefore I have done 2/3/4 on the disks below, is that also correct?

Edit, seems I need to use “0 2” for the drives. Has something to do with file system check. https://help.ubuntu.com/community/Fstab

mbod · March 9, 2022, 8:53am

I dont know about the “timeout” value. What is that good for? And my cryptab has a “luks” keyword at the end:

here-is-the-name UUID=abcd-1234-xyz /keyfile.bin luks

and my fstab looks like this:

/dev/mapper/here-is-the-name /mnt/mountpoint xfs defaults,noatime 0 1

Just out of curiosity a question regarding your keyfile: /home/sojiro/luks.key
At what point in time during the boot process is that keyfile accessible?

Sojiro84 · March 9, 2022, 9:18am

timeout has to do with the time to enter the password, which I can off course remove since I already provide a keyfile.

I don’t know when my system will mount the disks, so I guess it might be better to move the keyfile to a root directory instead if in my home directory.

The disk where my EOS is installed is also LUKS encrypted.

Edit: thanks for mentioning luks, the arch wiki didn’t had that part added in the examples. But I do need to specify it.

Sojiro84 · March 9, 2022, 5:24pm

Well, it works, except somehow for the password bit. I got asked to enter the password during boot 3 times (since there are 3 disks). Anyone know why? This is how it looks:

/etc/crypttab

Data_01 UUID=removed /etc/cryptsetup-keys.d/luks.key luks,nofail
Data_02 UUID=removed /etc/cryptsetup-keys.d/luks.key luks,nofail
Data_03 UUID=removed /etc/cryptsetup-keys.d/luks.key luks,nofail

/etc/fstab

/dev/mapper/Data_01 /mnt/Data_01 ext4 defaults,noatime 0 2
/dev/mapper/Data_02 /mnt/Data_02 ext4 defaults,noatime 0 2
/dev/mapper/Data_03 /mnt/Data_03 ext4 defaults,noatime 0 2

After some reading, is the keyfile a NEW thing, seperate from the standard LUKS password that I have made during formatting of the drive? Is the following something I must do?

Source: https://access.redhat.com/solutions/230993

Adding a key file to an existing LUKS volume:

Prepare a key file, whether it is random data or something specific
Examples:
    dd if=/dev/random bs=32 count=1 of=/root/random_data_keyfile1
    printf "Simple passphrase which can also be used interactively" >/root/plaintext_passphrase_keyfile2

Take care to ensure the key file is hidden from and unreadable by all untrusted parties

Add the key file to the encrypted device with the command: cryptsetup luksAddKey DEV /PATH/TO/KEYFILE

Sojiro84 · March 9, 2022, 8:07pm

Solved by the above, seems a keyfile is a separate thing one can add to the disks which can then be used to unlock it at boot.

Ahh, nice that it works. No more typing out my passwords 3 times.

otherbarry · March 9, 2022, 8:15pm

Each luks container has 8 slots, you can assign multiple passwords and / or keyfiles to a luks container.

Key Slot 0: ENABLED
Iterations:             4072138
Salt:                   3d 49 84 19 79 b9 7f ea 4a be 67 60 82 fe 8c ef
d5 cd d1 6d bf 75 2b 89 a0 bf a8 25 d7 77 e5 ec
Key material offset:    8
AF stripes:             4000
Key Slot 1: ENABLED
Iterations:             4072138
Salt:                   9b 24 ca 9a 1a f2 ad f6 5e fc 9a c8 ac e7 1f db
b3 83 b1 64 3b 62 e5 69 e1 a8 88 8a cc a0 16 09
Key material offset:    512
AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

You can add, remove, and change them with cryptsetup.

luksAddKey <device> [<new key file>] - add key to LUKS device
luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters

Calamares creates a keyfile for your root partition if you choose an encrypted install, /crypto_keyfile.bin. This can be used setup to open all encrypted partitions, or a different keyfile can be used if the data is more sensitive.

system · March 11, 2022, 8:16pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.