Working with LUKS (encryption to you and me)

As a die hard Fedora user, I go through a regular cycle of downloading a new release, upgrading my desktop machine (by trashing what is there, as opposed to an in place upgrade) and then trying to remember how I re-enable the encrypted volumes I have for my data.

My setup is a little convoluted by making use of;

  • 2x 128GB SSD SATA for /home (RAID 1 using software RAID)
  • 2x 1TB 15k SATA for /data (again RAID 1)
  • The RAID arrays both have LVM on top
  • And then the ext4 filesystem which has been encrypted using LUKS

It generally follows the steps detailed below;

  1. Switch to root (yes I know I should do everythingviasudo)
    $ sudo su -
  2. Confirm that there are some md devices in /dev
    # ls /dev/md*
  3. Review what is returned;
    /dev/md126
    /dev/md127
  4. Confirm the status of the RAID Arrays;
    mdadm --misc --detail /dev/md12[6-7]
  5. Now I will confirm that the logical volumes exist (generally Fedora has picked these up without issue)
    lv_data vg_data -wi-ao----   1.00t
    lv_home vg_home -wi-ao---- 111.73g
  6. Next I will attempt to open the encrypted volume;
    # cryptsetup luksOpen /dev/mapper/vg_home-lv_home home
  7. And then to mount the volume;
    # mount /dev/mapper/home /home2
  8. Now I will make sure everything looks good in /home2
  9. At this point I need to set things so that I am prompted for the passphrase during startup.
  10. ObtaintheUUID oftheLUKS encrypted volume;
    # cryptsetup luksUUID /dev/mapper/vg_home-lv-home
    bd202e53-de79-4a42-2a5f-2df4a7d40c76
  11. Edit the /etc/crypttab file to include this new volume at system startup
    home        UUID=bd202e53-de79-4a42-2a5f-2df4a7d40c76
  12. Now we need to edit the /etc/fstab file to include the unencrypted device and mount point;
    /dev/mapper/home          /home2       ext4     defaults      1 2
  13. At this point we should in theory be able to reboot and find the volume is magically mounted.

Leave a Reply