{"id":997,"date":"2025-02-21T09:30:18","date_gmt":"2025-02-21T06:30:18","guid":{"rendered":"https:\/\/itgen.itbumper.com\/?page_id=997"},"modified":"2025-02-26T10:16:37","modified_gmt":"2025-02-26T07:16:37","slug":"0039_creating-a-luks-encrypted-disk-with-auto-mounting-key-file","status":"publish","type":"page","link":"https:\/\/itgen.itbumper.com\/?page_id=997","title":{"rendered":"0039_Creating a LUKS-encrypted disk with auto-mounting (key file)"},"content":{"rendered":"

Let’s say we added a 20G disk that needs to be encrypted and configured so that it is automatically mounted by the system using a key file. (it is assumed that the system is also located on an encrypted disk)
1. Check the list of disks (we are interested in the vda<\/strong> disk<\/em>): <\/p>\n\n

\nlsblk -e7\u00a0\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n
2. When marking up the disk, the partition table should be marked up as GPT, and one primary partition, which occupies the entire disk, should be created.<\/div>\n
 <\/div>\n\n
\nsudo parted \/dev\/vda\nmklabel gpt\nmkpart primary 1 100%\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n
3. Generate a 2048-bit key<\/p>\n\n
\nsudo dd\u00a0 if=\/dev\/urandom of=\/root\/secret.key bs=1024 count=2\n<\/pre><\/div>\n\n
4. Change the file’s read-only permissions to the owner:<\/p>\n\n
\nsudo chmod 0400 \/root\/secret.key\n<\/pre><\/div>\n\n
5. Create a LUKS partition using the created key:<\/p>\n
A warning about data destruction will appear. Enter YES in capital letters.<\/em><\/p>\n\n
\nsudo cryptsetup luksFormat \/dev\/vda1 \/root\/secret.key\n<\/pre><\/div>\n\n
\n
Important:<\/strong><\/p>\n
When third parties try to access your disk, they need to have a key <\/em>to decrypt the data on the disk. Don’t tell anyone the path to the key.<\/em><\/p>\n
\n
6. Before using a LUKS partition, you must display and format it correctly. To do this, first use the luksOpen option, which creates an I\/O device that allows you to interact with the partition:<\/p>\n\n
\nsudo cryptsetup luksOpen \/dev\/vda1 secret\u00a0 --key-file=\/root\/secret.key\n<\/pre><\/div>\n\n
The LUKS I\/O device is now available in \/dev\/mapper\/secret<\/strong><\/em>.<\/p>\n
7. Next, specify the size of the LUKS partition (the maximum size will be used without parameters<\/em>), or if it starts asking for a password, use this command<\/p>\n\n
\nsudo cryptsetup resize secret --key-file=\/root\/secret.key\n<\/pre><\/div>\n\n
8. Making the file system ext4 <\/p>\n\n
\nsudo mkfs.ext4 \/dev\/mapper\/secret\n<\/pre><\/div>\n\n
9. Check the status and key slots<\/p>\n\n
\nsudo cryptsetup -v status secret\nsudo cryptsetup luksDump \/dev\/vda1\n<\/pre><\/div>\n\n
10. Mounting the LUKS partition:<\/p>\n\n
\nsudo mkdir -p \/secret\nsudo chmod 755 \/secret\nsudo mount \/dev\/mapper\/secret \/secret\ndf -h\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n
\n
Automatic mounting<\/strong><\/span><\/p>\n
1. First, find out the UUID for the encrypted partition:<\/p>\n\n
\nsudo ls -l \/dev\/disk\/by-uuid\nlsblk\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n
2. Change your account to root<\/strong>
3. Export the variable (your value will be different):<\/p>\n\n
\nexport UUID="619b3901-94cd-4595-9a4c-ce3fdfad0e6f"\n<\/pre><\/div>\n\n
4. Add the key link to the \/etc\/crypttab<\/strong><\/em> file:<\/p>\n\n
\necho "secret UUID=${UUID} \/root\/secret.key luks" >> \/etc\/crypttab\n<\/pre><\/div>\n\n
5. Finally, create an entry in the \/etc\/fstab<\/strong><\/em> file for automatic mounting:<\/p>\n\n
\necho "\/dev\/mapper\/secret\/secret auto" >> \/etc\/fstab\n<\/pre><\/div>\n\n
6. Mount<\/p>\n\n
\nmount -a\n<\/pre><\/div>\n\n
7. Reboot and check<\/p>","protected":false},"excerpt":{"rendered":"
Let’s say we added a 20G disk that needs to be encrypted and configured so that it is automatically mounted by the system using a key file. (it is assumed that the system is also located on an encrypted disk)1. Check the list of disks (we are interested in the vda disk): 2. When marking … Continue reading “0039_Creating a LUKS-encrypted disk with auto-mounting (key file)”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/997"}],"collection":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=997"}],"version-history":[{"count":8,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/997\/revisions"}],"predecessor-version":[{"id":1021,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/997\/revisions\/1021"}],"wp:attachment":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}