Luks automount encrypted disk on linux

Sometimes it is useful to automatically mount a luks encrypted disk. In this post I’m going to describe to do this safely.

  • My workstation, a Lenovo Thinkpad W510 has a drive bay, where you either store a hdd or a optical drive. I usually have a hdd placed there but sometimes I need the optical drive. So I don’t want to put the disk into /etc/fstab or /etc/crypttab. But I also don’t want to mount it manually evry time.
  • On my homeserver I use a SATA hotswap disk to make backups. I have two of those hdd, swap them weekly and always keep one of them at my workplace. These backup disks are encrypted of course. When changing the disk I always have ssh onto the server, find the disk, decrypt it and mount it. Would be great if I just had to plug it in.
  • Same ideas also apply to external data or backup disks

Assumptions

/dev/sdb1 is the only partition on the disk /dev/sdb and encrypted with luks. The device /dev/sdb can be an internal disk, a hotswap disk or any external disk.
In the following I furthe assume you ill use the disk /dev/sdb1 for a backup and therefore want to decryptr it as /dev/mapper/backup-crypt and mount it under /mnt/backup.

Add a key to the encrypted disk

To automatically decrypt the volume you have to provide a keyfile instead of a passphrase. Of course you will still be able to decrypt the volume by your passphrase(s) until you remove them from the luks header.
Create a directory to store the keys and a random key. It’s a good idea to keep the key in a safe place, ie an encrypted home directory.

mkdir ~/.luksKeyfiles
cd ~/.luksKeyfiles
dd if=/dev/urandom of=backup-hdd bs=256 count=1

Now add the key to the luks header. You will have to provide a valid passphrase for the device.

sudo cryptsetup luksAddKey /dev/sdb1 ~/.luksKeyfiles/backup-hdd

Setup mount point

Create the mountpoint /mnt/backup

sudo mkdir /mnt/backup

and add an entry to /etc/fstab:

/dev/mapper/backup-crypt /mnt/backup		ext4	defaults,user,users	0	0

Setup udev rule for the automagic mounting

First find out the serial id of the disk. Plugging in the disk will then trigger the decryption and mounting.

sudo udevadm info -q all -n /dev/sdb1 | grep ID_SERIAL

This will output something like

E: ID_SERIAL=SAMSUNG_HM320JI_S16LJD0S475345
E: ID_SERIAL_SHORT=S16LJD0S475345

depending on manufacturer and model of your disk.
Then create a udev rule in /etc/udev/rules.d/85_backup_hdd.rules. This will first decrypt the disk with the keyfile and then mount it.

##################################################################################
# rule 1: decrypt the disk once it gets plugged in
##################################################################################
 
# matches partitions (there is precisely one) of block devices with the serial
# number of my external data hard disk
 
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL_SHORT}=="S16LJD0S475345",
RUN+="/sbin/cryptsetup --key-file /home/dummy/.luksKeyfiles/backup-hdd luksOpen $env{DEVNAME} backup-crypt"
 
##################################################################################
# rule 2: as soon as the crypt container is opened, mount the filesystem inside it
##################################################################################
 
# we (also) match on change because the device name is known only after some time
ACTION=="add|change", SUBSYSTEM=="block", ENV{DM_NAME}=="backup-crypt", 
RUN+="/bin/mount /dev/mapper/$env{DM_NAME}"

Test the rule

First do a dry run:

sudo udevadm test /sys/devices/block/sdb/sdb1

Check if the rule is firing and look for syntax errors.

Now plug in the disk and it should auto mount the luks partition!
Maybe you need to reload the rules by

sudo udevadm control --reload-rules

Now automounting should work. However there still are some things to improve:

Hide the disk from nautilus sidebar

Even if mounted to /mnt/backup the disk will show up in the nautilus sidebar as unmounted disk. To hide it, add the following to the first rule in /etc/udev/rules.d/85_backup_hdd.rules:

ENV{UDISKS_IGNORE}="1"

or even better create a new rule file for hiding disk, ie /etc/udev/rules.d/99_hide_disks.rules and add

ENV{ID_SERIAL_SHORT}=="S16LJD0S475345", ENV{UDISKS_IGNORE}="1"

Restart nautilus to let the rule take effect.

Umount

To unmount the disk you will have to issue

sudo umount /mnt/backup
sudo cryptsetup luksClose backup-crypt

Michael Stapelberg has written a nice wrapper for umount which doing this in one step. Download the file, place it in ~/.local/bin and make it executable. If you now issue

umount /mnt/backup

the wrapper will do both, the umount and the luksClose.

References

Leave a Reply

Your email address will not be published. Required fields are marked *