LUKS: Disk Encryption


#1

Dear Tom/LTS,
Maybe a video on
LUKS: Disk Encryption
(https://guardianproject.info/code/luks/)

Since encyption is so important, lets teach others in the community how to use it/set it up.


#2

It comes built in with most distos as a setup option, when I find some time will do a video on it.


#3

Let me cast one more vote in favor of OP request.


#4

Dear all,

Finally! Thanks Tom!


#5

Thanks for posting the YT link @pedracho! And, thank you very much @LTS_Tom for giving this topic your trademarked detailed discussion!

This is something that I’m going to have to get into and play around with, glad I have my lab setup (just have to wait until after a move to get into this and other projects).


#6

Tom,
Thanks for the detailed video. I set up a 2GB SD card via CLI which works fine except that it has unfriendly mapping. Is there a way to change the mapper and mount point names to something sane or do I just start over? If start over, how is that done?

It automounts like this.

I can mount to another mountpoint manually but it doesn’t stick and I don’t want to put this in fstab b/c systemd looks for devices in fstab and fills syslog with errors when it can’t find it.

Thanks


#7

That appears to be the default way Ubuntu (and probably other distros) auto mount it. Not sure how to change that, my solution when is to use the UUID that it assigns as it will be the same each time it’s mounted.


#8

Great Suggestion, did not think of that.
Everyone, have a great week!


#9

@LTS_Tom

You’re correct. I set up another card and was very careful about the steps. I gave a sane name when I ran:
$ cryptsetup luksOpen /dev/sdh1 something-meaningful-here

But ended up with another long 0x-name when finished and the card mounted. I’m on Kubuntu 18.04.2 LTS.

Is your solution to add a line to fstab using UUID? If so, I discovered (via lnav; tnx you) that systemd barfs errors in syslog every 10 min for unmounted devices in fstab. I don’t plan to keep an encrypted SD card mounted, so my best soln is to remount the device to a sane mount point. For an encrypted drive that mounts at boot, then UUID in fstab makes sense.

FWIW, I tried adding noauto to my fstab and that didn’t suppress systemd errors.


#10

I found this link useful for removing encryption and re-formatting. It wasn’t obvious to me:


#11

I just mount my drives using a script as they are not unlocked until I log in like this;

cryptsetup luksOpen /dev/xvdb storeage #<-This unlocks the drive

fsck /dev/mapper/store #<-make sure the unlocked drive has no errors

mount /dev/mapper/store /storage/ #<-This mounts the drive

#12

Thanks @LTS_Tom, that’s a workable solution!

Kubuntu automounts SD card when inserted and if I unlock with passwd will mount to 0x-long-value mount point. If I cancel passwd dialog, I can follow your method and manually mount to sane mount point.

fsck didn’t work on my SD tho. Got: “e2fsck: Cannot continue, aborting” message after saying it’s mounted.


#13

@LTS_Tom

Solved it. Just need to edit drive label to sane name with e2label. It then mounts automatically to /media/$USER/drive-label. The container name is still long name.