Working with LUKS (encryption to you and me)

Posted on Posted in Uncategorized

As a die hard Fedora user, I go through a regular cycle of downloading a new release, upgrading my desktop machine (by trashing what is there, as opposed to an in place upgrade) and then trying to remember how I re-enable the encrypted volumes I have for my data.

My setup is a little convoluted by making use of;

  • 2x 128GB SSD SATA for /home (RAID 1 using software RAID)
  • 2x 1TB 15k SATA for /data (again RAID 1)
  • The RAID arrays both have LVM on top
  • And then the ext4 filesystem which has been encrypted using LUKS

It generally follows the steps detailed below;

  1. Switch to root (yes I know I should do everythingviasudo)

    $ sudo su -

  2. Confirm that there are some md devices in /dev

    # ls /dev/md*

  3. Review what is returned;

    /dev/md126<br />

  4. Confirm the status of the RAID Arrays;

    mdadm --misc --detail /dev/md12[6-7]

  5. Now I will confirm that the logical volumes exist (generally Fedora has picked these up without issue)

    lv_data vg_data -wi-ao----   1.00t<br />
    lv_home vg_home -wi-ao---- 111.73g

  6. Next I will attempt to open the encrypted volume;

    # cryptsetup luksOpen /dev/mapper/vg_home-lv_home home

  7. And then to mount the volume;

    # mount /dev/mapper/home /home2

  8. Now I will make sure everything looks good in /home2
  9. At this point I need to set things so that I am prompted for the passphrase during startup.
  10. ObtaintheUUID oftheLUKS encrypted volume;

    # cryptsetup luksUUID /dev/mapper/vg_home-lv-home<br />

  11. Edit the /etc/crypttab file to include this new volume at system startup

    home        UUID=bd202e53-de79-4a42-2a5f-2df4a7d40c76

  12. Now we need to edit the /etc/fstab file to include the unencrypted device and mount point;

    /dev/mapper/home          /home2       ext4     defaults      1 2

  13. At this point we should in theory be able to reboot and find the volume is magically mounted.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.