How to setup an automatically unlock encrypted (LUKS) partition on Ubuntu

I would like to setup an encrypted folder on my Ubuntu server:

If you do not have cryptsetup, install it.

Setup LUKS on a free partition (/dev/mapper/vg_data_group-lv_data). This will erase all the data!

cryptsetup luksFormat -c aes -h sha256 /dev/mapper/vg_data_group-lv_data

Mount and format the new partition giving a device mapper name (cryptpublic1)

cryptsetup luksOpen /dev/mapper/vg_data_group-lv_data cryptpublic1
mkfs.ext4 /dev/mapper/cryptpublic1
mount -t ext4 /dev/mapper/cryptpublic1 /home/public/

Now I’m setting up automatically unlock with a keyfile:
This create a file with 4096 random bits

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Make /root/keyfile readable only by root (keep in mind the security problem about have keyfile on the same computer)

chmod 0400 /root/keyfile

Add keyfile to LUKS

cryptsetup luksAddKey /dev/mapper/vg_data_group-lv_data /root/keyfile

Add LUKS mapper on /etc/crypttab

cryptswap1 /dev/dm-2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
cryptpublic1 /dev/mapper/vg_data_group-lv_data /root/keyfile luks

Mount the device in fstab

proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/ITLTENX01TEST-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/sda1 during installation
UUID=69bb50bf-2b93-44de-973d-ef6f21587ecf /boot           ext2    defaults        0       2
/dev/mapper/ITLTENX01TEST-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0
#/dev/mapper/vg_data_group-lv_data /home/public ext4    noatime 0       2

/dev/mapper/cryptswap1 none swap sw 0 0

/dev/mapper/cryptpublic1        /home/public    ext4    defaults        0       2

Remember that the partition that you have encrypted in not mounted (/dev/mapper/vg_data_group-lv_data) but only the LUKS device

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s