This article explains how to mount a Luks volume (encrypted) on boot. You’ll be asked for a password. There’s plenty of articles explaining how to do this with a crypt-key available, so I need not repeat their work.
Here’s our scenario. Remember, this process is destructive. Follow this only in a lab environment where data is unimportant.
We have a disk called “/dev/sdb” which we create a partition on called “/dev/sdb1”. From there we encrypt it using “cryptsetup” and then we format it with “mkfs.ext4 -m0 /dev/mapper/secure” where “secure” is the name we gave it during the encryption process. From here we can add an entry to “/etc/crypttab” and then “/etc/fstab” and we’re done. When we boot, we’re prompted for the password, and once done, we’d in.
Let’s get started doing what we’re said above. We’re starting by creating our encrypted volume.
Create the partition on /dev/sdb:
fdisk /dev/sdb
Now create the encrypted volume (you’ll be asked to provide a passphrase):
cryptsetup -y -v luksFormat /dev/sdb1
Now we decrypt it ready for mounting (we’re going to label the volume as “secure”):
cryptsetup luksOpen /dev/sdb1 secure
We need to format the new volume:
mkfs.ext4 -m0 /dev/mapper/secure
Mount the new encrypted volume:
mkdir /mnt/secure mount /dev/mapper/secure /mnt/secure
Copy some files onto it as a test:
rsync -az /etc /mnt/secure
Now unmount it. We’re going to prepare for mounting on boot using “/etc/fstab”:
umount /mnt/secure
Get the UUID of the new encrypted volume:
cryptsetup luksUUID /dev/sdb1
Edit the “/etc/crypttab” file and add the following (including the UUID from the above command output:
secure UUID=your-uuid-from-the-above-command none luks
Edit your “/etc/fstab” file and add the following:
/dev/mapper/secure /mnt/secure ext4 0 0
Now reboot and you will be asked for the password to mount the new encrypted volume. If all goes well, confirm the process works by checking to see if there are files on the encrypted volume (we copied some onto the encrypted volume earlier.
you should add mount options to fstab
/dev/mapper/secure /mnt/secure ext4 0 0 -> /dev/mapper/secure /mnt/secure ext4 defaults 0 0