Working with LUKS (encryption to you and me)

As a die hard Fedora user, I go through a regular cycle of downloading a new release, upgrading my desktop machine (by trashing what is there, as opposed to an in place upgrade) and then trying to remember how I re-enable the encrypted volumes I have for my data.

My setup is a little convoluted by making use of;

  • 2x 128GB SSD SATA for /home (RAID 1 using software RAID)
  • 2x 1TB 15k SATA for /data (again RAID 1)
  • The RAID arrays both have LVM on top
  • And then the ext4 filesystem which has been encrypted using LUKS

It generally follows the steps detailed below;

  1. Switch to root (yes I know I should do everythingviasudo)

    [bash]$ sudo su -[/bash]

  2. Confirm that there are some md devices in /dev

    [bash]# ls /dev/md*[/bash]

  3. Review what is returned;

    [bash]/dev/md126
    /dev/md127[/bash]

  4. Confirm the status of the RAID Arrays;

    [bash]mdadm –misc –detail /dev/md12[6-7][/bash]

  5. Now I will confirm that the logical volumes exist (generally Fedora has picked these up without issue)

    [bash]lv_data vg_data -wi-ao—-   1.00t
    lv_home vg_home -wi-ao—- 111.73g[/bash]

  6. Next I will attempt to open the encrypted volume;

    [bash]# cryptsetup luksOpen /dev/mapper/vg_home-lv_home home[/bash]

  7. And then to mount the volume;

    [bash]# mount /dev/mapper/home /home2[/bash]

  8. Now I will make sure everything looks good in /home2
  9. At this point I need to set things so that I am prompted for the passphrase during startup.
  10. ObtaintheUUID oftheLUKS encrypted volume;

    [bash]# cryptsetup luksUUID /dev/mapper/vg_home-lv-home
    bd202e53-de79-4a42-2a5f-2df4a7d40c76[/bash]

  11. Edit the /etc/crypttab file to include this new volume at system startup

    [bash]home        UUID=bd202e53-de79-4a42-2a5f-2df4a7d40c76[/bash]

  12. Now we need to edit the /etc/fstab file to include the unencrypted device and mount point;

    [bash]/dev/mapper/home          /home2       ext4     defaults      1 2[/bash]

  13. At this point we should in theory be able to reboot and find the volume is magically mounted.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.