[dm-crypt] Automatically mount LUKS LVM on boot?

Arbiel (gmx) arbiel.perlacremaz at gmx.fr
Thu Jan 21 13:50:25 CET 2016


Hi

Not sure what I've done can help you, but let me tell you.

I'm using LUKS on some logical volumes of a LVM. That is, I do not
encrypt my whole LVM, but only parts of it. For several reasons out of
scope of your concern, I boot my PC only using a removable USB key. I
let my hard disk MBR as provided by the manufacturer.

I encrypted both my root and my home, each with its own LUKS key. I
agree I did it more for the sake of getting experience then for a real
need of data protection. Taking advantage of the need of a removable
device to boot, I decided to store my LUKS keys on it. I included the
two following lines in my /etc/crypttab :
 
victor-root UUID=78576555-f0c2-4c80-af4f-d763cc7ae71d
/dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-root:1
luks,keyscript=/lib/cryptsetup/scripts/passdev
victor-home UUID=37447a61-f946-4d38-a398-5a886c4e3f22
/dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-home:1
luks,keyscript=/lib/cryptsetup/scripts/passdev

The two keys are 512-byte random binary files stored at the root of the
partition, named ".victor-root" and ".victor-home".

As a USB key is rather fragile (loss, getting out of use), I stored my
LUKS keys on several USB keys. I gave the same uuid to the partitions
holding my LUKS files, so as the preceding lines would work for any one
of my USB keys.

My /etc/fstab files holds the following lines

/dev/mapper/victor-root /               ext4    errors=remount-ro 0       1
/dev/mapper/victor-home /home ext4 defaults 0 2

I suppressed the need of a password at login.

After boot, I disconnect my USB key.

Arbiel

Le 17/01/2016 19:30, Sven Eschenberg a écrit :
> Hi Dáire,
>
> While this is not really dm-crypt/cryptsetup related, but rather a
> question of the used distro and desktopenvironment (etc.), I'll try to
> give you some hints on this:
>
> As long as the volume is listed in crypttab and the key is provided
> the crypto-mapping will be setup during boot. If you don't want that,
> you'd have to revert those changes. (Automatic setup of crypto mapping
> with a locally stored key is somewhat pointless, as you can imagine).
>
> It is not that easy by just looking at the commands you ran, to judge
> what is going on right now. You'll certainly have to provide
> additional info, but I am sure the Ubuntu community would be a greater
> help, as it knows the intrinsics of the distro.
>
> One thing I want to add though is this:
> You will NOT be able to do a single password entry for both decryption
> and login. You could possibly disable passwords for login (if that
> makes sense to you). You could skip the password for decryption, if
> the 'passphrase/key' is stored on an external drive (usb thumg drive)
> and you physically secure it and instead use a sign on password. And
> if you really insist on a signle sign on, you'd have to have a some
> sort of password cache daemon that provides the password at a later
> stage, but then again this makes password based logins pointless.
>
> So, first choose your modus operandi, then try setting it up.
>
> Regards
>
> -Sven
>
> Am 16.01.2016 um 23:33 schrieb Dáire Fagan:
>> I have tried following different guides on this but none seem to do
>> exactly what I am trying so I had to work with different parts from
>> different guides.
>>
>> Using the following I made it so Ubuntu would not boot, although I was
>> able to remedy this by booting into Ubutnu recovery, dropping to a root
>> shell, and putting fstab back as it was: HOWTO: Automatically unlock
>> LUKS encrypted drives with a keyfile
>> <http://ubuntuforums.org/showthread.php?t=837416>
>>
>> When I started I had just set up LUKS with LVM. I was able to mount the
>> main volume hdd1 by clicking on it from the launcher in Ubuntu and
>> entering my password, but I need to set it up to mount on boot.
>>
>> Even after the change I made in fstab - undoing what the guide
>> recommended - now when I boot a volume is mounted of 973GB although I
>> cannot write to it. Apart from that I am not sure if it is otherwise
>> working as it should, or if say for instance it is left decrypted all of
>> the time.
>>
>> Can you please look through the commands from my bash history and tell
>> me anything I need to undo, the correct commands to do this, and any
>> extra commands I need to enter to achieve what I am after, physical
>> volume sda1 decrypted on boot, and the logical volumes swap and hdd1
>> automatically mounted, one password input on boot preferred, so I do not
>> have to enter one to login and another to decrypt. This is all on a
>> completely separate drive to my / and /home partitions.
>>
>> If relevant one of the commands used during LUKS and LVM setup was:
>>
>> pvcreate /dev/mapper enc-pv
>>
>> I mention that now as it is referenced in another command.
>>
>> The logical volumes:
>>
>> [CODE]dusf at roadrunner:~$ sudo lvdisplay
>>    --- Logical volume ---
>>    LV Path                /dev/vg/swap
>>    LV Name                swap
>>    VG Name                vg
>>    LV UUID                HBEt92-E8MQ-aCAu-DBDz-7VeJ-KLom-JeJ9k8
>>    LV Write Access        read/write
>>    LV Creation host, time roadrunner, 2016-01-16 20:36:42 +0000
>>    LV Status              available
>>    # open                 0
>>    LV Size                10.00 GiB
>>    Current LE             2560
>>    Segments               1
>>    Allocation             inherit
>>    Read ahead sectors     auto
>>    - currently set to     256
>>    Block device           252:1
>>
>>    --- Logical volume ---
>>    LV Path                /dev/vg/kali
>>    LV Name                kali
>>    VG Name                vg
>>    LV UUID                BeWqMO-DQAf-zcAp-RJAf-vmaY-OZbt-GLQIWx
>>    LV Write Access        read/write
>>    LV Creation host, time roadrunner, 2016-01-16 20:40:39 +0000
>>    LV Status              available
>>    # open                 0
>>    LV Size                15.00 GiB
>>    Current LE             3840
>>    Segments               1
>>    Allocation             inherit
>>    Read ahead sectors     auto
>>    - currently set to     256
>>    Block device           252:2
>>
>>    --- Logical volume ---
>>    LV Path                /dev/vg/HDD1
>>    LV Name                HDD1
>>    VG Name                vg
>>    LV UUID                xFw2Yu-li8I-Ooav-Yjk2-P38q-CZeG-dmdhSl
>>    LV Write Access        read/write
>>    LV Creation host, time roadrunner, 2016-01-16 20:51:00 +0000
>>    LV Status              available
>>    # open                 1
>>    LV Size                906.51 GiB
>>    Current LE             232066
>>    Segments               1
>>    Allocation             inherit
>>    Read ahead sectors     auto
>>    - currently set to     256
>>    Block device           252:3
>>
>> Commands I entered to try and automount:
>>
>> 156  sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
>>    157  sudo chmod 0400 /root/keyfile
>>    160  sudo cryptsetup luksAddKey /dev/sda1 /root/keyfile
>>    161  sudo vi /etc/crypttab
>>
>> I added the line: enc-pv      /dev/sda1  /root/keyfile  luks
>>
>>    162  sudo vi /etc/fstab
>> I added the line: /dev/mapper/enc-pv  /media/sda1     ext4    defaults
>>       0       2
>>
>>   163  sudo mount -a
>>    164  mkdir /media/sda1
>>    165  sudo mkdir /media/sda1
>>    166  sudo mount -a
>>
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20160121/860db811/attachment.asc>


More information about the dm-crypt mailing list