All HowTo's Cyber-Security Linux Linux Administrators Redhat, Fedora and CentOS Linux Ubuntu, Mint & Debian Linux

Creating and Mounting Luks on boot

1

This article explains how to mount a Luks volume (encrypted) on boot. You’ll be asked for a password. There’s plenty of articles explaining how to do this with a crypt-key available, so I need not repeat their work.

Here’s our scenario. Remember, this process is destructive. Follow this only in a lab environment where data is unimportant.

We have a disk called “/dev/sdb” which we create a partition on called “/dev/sdb1”. From there we encrypt it using “cryptsetup” and then we format it with “mkfs.ext4 -m0 /dev/mapper/secure” where “secure” is the name we gave it during the encryption process. From here we can add an entry to “/etc/crypttab” and then “/etc/fstab” and we’re done. When we boot, we’re prompted for the password, and once done, we’d in.

Let’s get started doing what we’re said above. We’re starting by creating our encrypted volume.

Create the partition on /dev/sdb:

fdisk /dev/sdb

Now create the encrypted volume (you’ll be asked to provide a passphrase):

cryptsetup -y -v luksFormat /dev/sdb1

Now we decrypt it ready for mounting (we’re going to label the volume as “secure”):

cryptsetup luksOpen /dev/sdb1 secure

We need to format the new volume:

mkfs.ext4 -m0 /dev/mapper/secure

Mount the new encrypted volume:

mkdir /mnt/secure
mount /dev/mapper/secure /mnt/secure

Copy some files onto it as a test:

rsync -az /etc /mnt/secure

Now unmount it. We’re going to prepare for mounting on boot using “/etc/fstab”:

umount /mnt/secure

Get the UUID of the new encrypted volume:

cryptsetup luksUUID /dev/sdb1

Edit the “/etc/crypttab” file and add the following (including the UUID from the above command output:

secure UUID=your-uuid-from-the-above-command none luks

Edit your “/etc/fstab” file and add the following:

/dev/mapper/secure /mnt/secure ext4 0 0

Now reboot and you will be asked for the password to mount the new encrypted volume. If all goes well, confirm the process works by checking to see if there are files on the encrypted volume (we copied some onto the encrypted volume earlier.

One comment

  1. you should add mount options to fstab
    /dev/mapper/secure /mnt/secure ext4 0 0 -> /dev/mapper/secure /mnt/secure ext4 defaults 0 0

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *