LUKS: Disk Encryption

pedracho · January 29, 2019, 10:13pm

Dear Tom/LTS,
Maybe a video on
LUKS: Disk Encryption
(https://guardianproject.info/code/luks/)

Since encyption is so important, lets teach others in the community how to use it/set it up.

LTS_Tom · January 29, 2019, 10:19pm

It comes built in with most distos as a setup option, when I find some time will do a video on it.

oodsway · February 9, 2019, 2:19am

Let me cast one more vote in favor of OP request.

pedracho · February 15, 2019, 11:36pm

Dear all,

Finally! Thanks Tom!

kingsolmn · February 16, 2019, 7:18pm

Thanks for posting the YT link @pedracho! And, thank you very much @LTS_Tom for giving this topic your trademarked detailed discussion!

This is something that I’m going to have to get into and play around with, glad I have my lab setup (just have to wait until after a move to get into this and other projects).

oodsway · February 17, 2019, 1:19am

Tom,
Thanks for the detailed video. I set up a 2GB SD card via CLI which works fine except that it has unfriendly mapping. Is there a way to change the mapper and mount point names to something sane or do I just start over? If start over, how is that done?

It automounts like this.

I can mount to another mountpoint manually but it doesn’t stick and I don’t want to put this in fstab b/c systemd looks for devices in fstab and fills syslog with errors when it can’t find it.

Thanks

LTS_Tom · February 17, 2019, 2:01pm

That appears to be the default way Ubuntu (and probably other distros) auto mount it. Not sure how to change that, my solution when is to use the UUID that it assigns as it will be the same each time it’s mounted.

pedracho · February 18, 2019, 1:01pm

Great Suggestion, did not think of that.
Everyone, have a great week!

oodsway · February 18, 2019, 1:19pm

@LTS_Tom

You’re correct. I set up another card and was very careful about the steps. I gave a sane name when I ran:
$ cryptsetup luksOpen /dev/sdh1 something-meaningful-here

But ended up with another long 0x-name when finished and the card mounted. I’m on Kubuntu 18.04.2 LTS.

Is your solution to add a line to fstab using UUID? If so, I discovered (via lnav; tnx you) that systemd barfs errors in syslog every 10 min for unmounted devices in fstab. I don’t plan to keep an encrypted SD card mounted, so my best soln is to remount the device to a sane mount point. For an encrypted drive that mounts at boot, then UUID in fstab makes sense.

FWIW, I tried adding noauto to my fstab and that didn’t suppress systemd errors.

oodsway · February 18, 2019, 1:36pm

I found this link useful for removing encryption and re-formatting. It wasn’t obvious to me:

LTS_Tom · February 18, 2019, 1:37pm

I just mount my drives using a script as they are not unlocked until I log in like this;

cryptsetup luksOpen /dev/xvdb storeage #<-This unlocks the drive

fsck /dev/mapper/store #<-make sure the unlocked drive has no errors

mount /dev/mapper/store /storage/ #<-This mounts the drive

oodsway · February 18, 2019, 3:08pm

Thanks @LTS_Tom, that’s a workable solution!

Kubuntu automounts SD card when inserted and if I unlock with passwd will mount to 0x-long-value mount point. If I cancel passwd dialog, I can follow your method and manually mount to sane mount point.

fsck didn’t work on my SD tho. Got: “e2fsck: Cannot continue, aborting” message after saying it’s mounted.

oodsway · February 18, 2019, 4:29pm

@LTS_Tom

Solved it. Just need to edit drive label to sane name with e2label. It then mounts automatically to /media/$USER/drive-label. The container name is still long name.