On Wednesday 04 November 2020 01:29:46 pm Janek Stolarek wrote:
> > I've been using LUKS for a long time on several different distributions,
> > all with TDE installed. So this conversation has made me curious how TDE
> > having ‘support for unlocking / locking encrypted disks’ is different
> > than what is currently in use?
>
> The way TDE 14.0.9 currently works (on my machine at least) is that when I
> plug in an encrypted external USB drive, Konqueror will ask for a password
> to unlock it, but upon entering the password it will report an error. So
> what I do is use a script that unlocks the LUKS device and mounts it*, at
> which point Konqueror again asks for a password to unlock the device except
> now that the device has been unlocked it mounts it correctly. I now wonder
> whether you know a way to bypass the need of unlocking/mounting the drive
> using a script?
>
> Janek
>
> *) Now that I wrote it I'm wondering whether the mounting step is
> necessary.
Hi Janek,
It took me a huge amount of reading to figure 2nd drive LUKS out (refs below).
In a nutshell you just need to know the UUID and the passphrase and you can
get your system to basically mount and un-mount LUKS the same as it does any
normal drive.
I only have my pidgen notes, so translate with the Refs :( I’ve added
companion commands in several places to show the name match-ups, so skip
anything you’ve already done. Do NOT copy/paste! It’s so easy to wipe the
wrong drive with all the sda, sdb, sdc’s... And I found at least two of my
own copy/pastes that had sdb instead of sda, so uhg...
Note: I use sda mapping to lesda throughout for the below examples. (My boot
drive is nvme0n1 not the usual sda)
Note: I don’t use partitions when LUKSing an entire drive (no point, wastes
space).
!Note to everyone! Seriously, if you haven’t read up on and understand LUKS,
you will fubar your system by blindly following the below.
Assumptions:
- rootfs is LUKS
- swapfs is LUKS
First:
- Move Swap's keyfile to a safer place!
- I place all keyfiles in /root/.luks/
Then:
{snip, see attached text file, email wrapping was eating the commands}
# # #
I think that’s about it.
Best,
Michael
Commands:
## cryptsetup luksFormat <target device>
## cryptsetup luksDump <target device>
## cryptsetup luksOpen <target device> c1
## mkfs.ext4 /dev/mapper/vg_backup-backup
## {mount}
## cryptsetup luksAddKey /dev/sdb1 -S 5
Refs:
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
2.1 LUKS Container Setup mini-HOWTO
2.19 How can I wipe a device with crypto-grade randomness?
https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondary-hdd-in-linux/
https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubuntu-linux/
https://askubuntu.com/questions/918021/encrypted-custom-install
https://eve.gd/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/
Hi Janek,
It took me a huge amount of reading to figure 2nd drive LUKS out (refs below). In a nutshell you just need to know the UUID and the passphrase and you can get your system to basically mount and un-mount LUKS the same as it does any normal drive.
I only have my pidgen notes, so translate with the Refs :( I’ve added companion commands in several places to show the name match-ups, so skip anything you’ve already done. Do NOT copy/paste! It’s so easy to wipe the wrong drive with all the sda, sdb, sdc’s... And I found at least two of my own copy/pastes that had sdb instead of sda, so uhg...
Note: I use sda mapping to lesda throughout for the below examples. (My boot drive is nvme0n1 not the usual sda)
Note: I don’t use partitions when LUKSing an entire drive (no point, wastes space).
!Note to everyone! Seriously, if you haven’t read up on and understand LUKS, you will fubar your system by blindly following the below.
Assumptions:
- rootfs is LUKS
- swapfs is LUKS
First:
- Move Swap's keyfile to a safer place!
- I place all keyfiles in /root/.luks/
Then:
- Find the UUID
cryptsetup luksDump /dev/sda
- Generate a keyfile or passphrase file.
dd if=/dev/urandom of=/root/.luks/keyfile.sda bs=1024 count=4
echo “passphrase” > /root/.luks/keyfile.sda
Note: Make sure your keyfile doesn't have a line feed (LF) anywhere in the file. e.g. Never open it with Nano!
- Check the device with badblocks
blockdev --getbsz /dev/sda
badblocks -svn -b 4096 -e 1 /dev/sda
cryptsetup --key-file=/root/.luks/keyfile.sda luksOpen /dev/sda lesda
umount /dev/mapper/lesda
cryptsetup luksClose lesda
Note (for USB 3.1):
badblocks takes approximately 40 hours on a 6TB disk.
badblocks takes approximately 45 hours on a 9TB disk.
{no that doesn’t make sense to me either, different drive manufactures??}
- Wipe the device with crypto-grade randomness
cryptsetup open --type plain -d /dev/urandom /dev/sda to_be_wiped
dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=4M status=progress conv=fdatasync
cryptsetup luksClose to_be_wiped
- Create your file system
cryptsetup --key-file=/root/.luks/keyfile.sda luksOpen /dev/sda lesda
mkfs.ext4 /dev/mapper/lesda
mount /dev/mapper/lesda /media/michael/hdsda
- Check/Add sdX to auto-mount
# ll /dev/disk/by-uuid/
{snip}
lrwxrwxrwx 1 root root 9 Nov 3 09:21 {huge UUID number} -> ../../sda
- ADD to /etc/crypttab
lesda /dev/disk/by-uuid/{huge UUID number} /root/.luks/keyfile.sda luks,nofail
- ADD to /etc/fstab
/dev/mapper/lesda /media/michael/hdsda ext4 defaults,noatime,nofail 1 2
- You can also Mount and UnMount as normal
mount /dev/mapper/lesda /media/michael/hdsda
umount /dev/mapper/lesda
# # #
I think that’s about it.
Best,
Michael
Commands:
## cryptsetup luksFormat <target device>
## cryptsetup luksDump <target device>
## cryptsetup luksOpen <target device> c1
## mkfs.ext4 /dev/mapper/vg_backup-backup
## {mount}
## cryptsetup luksAddKey /dev/sdb1 -S 5
Refs:
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
2.1 LUKS Container Setup mini-HOWTO
2.19 How can I wipe a device with crypto-grade randomness?
https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondary-hdd-in-linux/
https://www.erianna.com/adding-an-secondary-encrypted-drive-with-lvm-to-ubuntu-linux/
https://askubuntu.com/questions/918021/encrypted-custom-install
https://eve.gd/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/____________________________________________________
tde-users mailing list -- users@xxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxx
Web mail archive available at https://mail.trinitydesktop.org/mailman3/hyperkitty/list/users@xxxxxxxxxxxxxxxxxx
