Cool Solution - Create and auto-mount encrypted devices

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

In this cool solution we will explain how to encrypt a drive, mount it and configure UCS to automatically mount it.

Keyfile creation

To automatically unlock and mount the drive on boot you need a keyfile to open the encrypted device. Simply choose a password or generate a random one and put in a hidden file.

Change the privileges on that file then, so that only root can read it:

chmod 0400 /path/to/keyfile


Encrypt the drive

First you need to install cryptsetup

univention-install cryptsetup
Now we will encrypt the device /dev/vdb. To get a list of drives you can use
fdisk -l
or
lsblk
. You should use an entirely empty drive for this process, since files stored on it before could still be recovered after encryption, unless the drive is completely overwritten with 0s or random numbers once and of course it will be formatted in the next step.

Encrypt the drive and format it. You will be prompted for a password, but we will use a keyfile to open the device later on for automatically mounting it on system boot.

cryptsetup --verbose -c aes-cbc-essiv:sha256 -y luksFormat <device>

If we would want to encrypt /dev/vdb the command would look as follows:

cryptsetup --verbose -c aes-cbc-essiv:sha256 -y luksFormat /dev/vdb

Add your key file to LUKS

cryptsetup luksAddKey <device> <keyfile>

Once this is finished, we can open the encrypted drive:

cryptsetup luksOpen <drive location> <drive name>

For our vdb drive the command would look as follows:

cryptsetup luksOpen /dev/vdb vdb

"vdb" is the name the device will be given below /dev/mapper.

We can now create a filesystem on this drive and will use ext4 for this example:

mkfs.ext4 /dev/mapper/vdb

Once this has finished, you can mount the drive and use it!

mount /dev/mapper/<drive name> <mount point>


Verify encryption of the device

To verify that the device has been encrypted you can use blkid.

blkid <device>

This should output a line similar to this:

/dev/vdb: UUID="057fdb62-d407-4705-a029-5120e9048d7c" TYPE="crypto_LUKS"

If the "TYPE" is "crypto_LUKS", the device is considered encrypted.

Automatically mount encrypted drives on system start

Of course always mounting the drive manually on system boot is not sufficient, thus we will show you how to do this automatically using crypttab and fstab now.

First we need to modify crypttab, so that our device can be found and mounted by fstab later. Always use tabs between the entries instead of spaces, otherwise this will most likely not work correctly

Add a line to /etc/crypttab with your device:

<name to be mapped to>     <device>     <keyfile>     luks

If we want to map /dev/vdb to /dev/mapper/enc with the keyfile /root/super.secret, our file would look as follows

enc     /dev/vdb     /root/super.secret     luks

Now we have to edit fstab to automount the device on boot. Add a new line for your device:

/dev/mapper/<name the device is mapped to by crypttab>     <mount point>     <file system>     defaults     0     2

So if we wanted to mount /dev/mapper/enc with ext4 as file system to /root/enc, our line would look as follows:

/dev/mapper/enc     /root/enc   ext4    defaults    0   2
Personal tools