On Wednesday 04 November 2020 01:29:46 pm Janek Stolarek wrote:
I've been using LUKS for a long time on several different distributions, all with TDE installed. So this conversation has made me curious how TDE having ‘support for unlocking / locking encrypted disks’ is different than what is currently in use?
The way TDE 14.0.9 currently works (on my machine at least) is that when I plug in an encrypted external USB drive, Konqueror will ask for a password to unlock it, but upon entering the password it will report an error. So what I do is use a script that unlocks the LUKS device and mounts it*, at which point Konqueror again asks for a password to unlock the device except now that the device has been unlocked it mounts it correctly. I now wonder whether you know a way to bypass the need of unlocking/mounting the drive using a script?
Janek
*) Now that I wrote it I'm wondering whether the mounting step is necessary.
Hi Janek,
It took me a huge amount of reading to figure 2nd drive LUKS out (refs below). In a nutshell you just need to know the UUID and the passphrase and you can get your system to basically mount and un-mount LUKS the same as it does any normal drive.
I only have my pidgen notes, so translate with the Refs :( I’ve added companion commands in several places to show the name match-ups, so skip anything you’ve already done. Do NOT copy/paste! It’s so easy to wipe the wrong drive with all the sda, sdb, sdc’s... And I found at least two of my own copy/pastes that had sdb instead of sda, so uhg...
Note: I use sda mapping to lesda throughout for the below examples. (My boot drive is nvme0n1 not the usual sda)
Note: I don’t use partitions when LUKSing an entire drive (no point, wastes space).
!Note to everyone! Seriously, if you haven’t read up on and understand LUKS, you will fubar your system by blindly following the below.
Assumptions: - rootfs is LUKS - swapfs is LUKS
First: - Move Swap's keyfile to a safer place! - I place all keyfiles in /root/.luks/
Then:
{snip, see attached text file, email wrapping was eating the commands}
# # #
I think that’s about it.
Best, Michael
Commands: ## cryptsetup luksFormat <target device> ## cryptsetup luksDump <target device> ## cryptsetup luksOpen <target device> c1 ## mkfs.ext4 /dev/mapper/vg_backup-backup ## {mount} ## cryptsetup luksAddKey /dev/sdb1 -S 5
Refs: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions 2.1 LUKS Container Setup mini-HOWTO 2.19 How can I wipe a device with crypto-grade randomness?
https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondary... https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubun... https://askubuntu.com/questions/918021/encrypted-custom-install https://eve.gd/2012/11/02/luks-encrypting-multiple-partitions-on-debianubunt...