Mittwoch, 27. März 2013

=== Encrypt and automaticly mount external harddrive with debian ===

In my last blogpost i showed you how you can acutal get your usb devices to be encrypted.

Now let's suppose you have a lot of devices that needs to be encrypted as well as automaticly mounted on boot up.

One Word before we begin. This does only make sense if you fully encrypt your root filesystem. Since we will deploy the keys in here needed to automaticaly mount and decrypt these. If this filesystem is encrypted nobody should be able to access those keys when the disk with main root filesystem isn't mounted.

For this i assume you have a partition /dev/sdb1 on your device which already is encrypted.

(1) First let's figure out the uuid of the harddisk we want to decrypt. Note that we are using the UUID of the partition that was encrypted here not the one where the device gets mapped to.

blkid /dev/sdb1 
>> /dev/sdb1: UUID="056bb8d6-cdf6-4081-23d9-cdef8bf7c18b" TYPE="crypto_LUKS" 

(2) Now as root user we are editing the file /etc/crypttab 

#devicealias #uuid #key  #encrption method
crypt
_sdb1 UUID=<from blkid> /etc/cryptkeys/crypt_sdb1.key luks

(3) Next edit the /etc/fstab accordingly
/dev/mapper/crypt_sdb1    /mnt/Backup    ext4 auto,defaults   0   0

Great we have created the entries in both files. All we need todo is to create the keys. I suggest that you are put keys in /etc/cryyptkeys as i configured the /etc/crypttab but you could of course put them anywhere you like. However if you do this you need to change the entry in the /etc/crypttab file. So create the directory in /etc and make it readable and accessable to group and user root only.

(4) The following command will create a key
dd if=/dev/urandom of=/etc/cryptkeys/crypt_sdb1.key bs=4k count=1
chmod 400 /etc/cryptkeys/*

(5) As the final step add the key to luks. When asked for a password you must enter your current used password you were using when you were encrypting this partition in the first place
cryptsetup luksAddKey /dev/sdb1 /etc/cryptkeys/crypt_sdb1.key