4 Nov
2020
4 Nov
'20
9:15 p.m.
On Wednesday 04 November 2020 01:29:46 pm Janek Stolarek wrote:
Hi Janek,
It took me a huge amount of reading to figure 2nd drive LUKS out (refs below).
In a nutshell you just need to know the UUID and the passphrase and you can
get your system to basically mount and un-mount LUKS the same as it does any
normal drive.
I only have my pidgen notes, so translate with the Refs :( I’ve added
companion commands in several places to show the name match-ups, so skip
anything you’ve already done. Do NOT copy/paste! It’s so easy to wipe the
wrong drive with all the sda, sdb, sdc’s... And I found at least two of my
own copy/pastes that had sdb instead of sda, so uhg...
Note: I use sda mapping to lesda throughout for the below examples. (My boot
drive is nvme0n1 not the usual sda)
Note: I don’t use partitions when LUKSing an entire drive (no point, wastes
space).
!Note to everyone! Seriously, if you haven’t read up on and understand LUKS,
you will fubar your system by blindly following the below.
Assumptions:
- rootfs is LUKS
- swapfs is LUKS
First:
- Move Swap's keyfile to a safer place!
- I place all keyfiles in /root/.luks/
Then:
{snip, see attached text file, email wrapping was eating the commands}
# # #
I think that’s about it.
Best,
Michael
Commands:
## cryptsetup luksFormat <target device>
## cryptsetup luksDump <target device>
## cryptsetup luksOpen <target device> c1
## mkfs.ext4 /dev/mapper/vg_backup-backup
## {mount}
## cryptsetup luksAddKey /dev/sdb1 -S 5
Refs:
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
2.1 LUKS Container Setup mini-HOWTO
2.19 How can I wipe a device with crypto-grade randomness?
https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondar…
https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubu…
https://askubuntu.com/questions/918021/encrypted-custom-install
https://eve.gd/2012/11/02/luks-encrypting-multiple-partitions-on-debianubun…
I've been
using LUKS for a long time on several different distributions,
all with TDE installed. So this conversation has made me curious how TDE
having ‘support for unlocking / locking encrypted disks’ is different
than what is currently in use?
The way TDE 14.0.9 currently works (on my machine at least) is that when I
plug in an encrypted external USB drive, Konqueror will ask for a password
to unlock it, but upon entering the password it will report an error. So
what I do is use a script that unlocks the LUKS device and mounts it*, at
which point Konqueror again asks for a password to unlock the device except
now that the device has been unlocked it mounts it correctly. I now wonder
whether you know a way to bypass the need of unlocking/mounting the drive
using a script?
Janek
*) Now that I wrote it I'm wondering whether the mounting step is
necessary.