Sakaki's EFI Install Guide/Extending LUKS to Protect an Additional Drive
In this mini-guide, we'll show how to easily extend your LUKS protection to cover an additional drive (or drives) on your system. This is most useful with desktop machines, where you may have multiple hard drives installed.
If you simply wish to protect a removable drive (such as a USB key), it's easier to rely on the tools already in GNOME; you can use the Disks utility to format your drive with encryption (see this guide, for example), and then have it unlocked automatically (assuming you are logged in) on insertion (to do so, just opt to allow GNOME to remember your passphrase for the drive, when first prompted).
To carry this out, you will need:
- to have an operational systemd/EFI Gentoo system, which you have set up per the text of the main guide (you don't need to have installed GNOME, however); and
- a secondary drive (or partition) that you would like to protect with LUKS, and have automatically mounted on boot.
First, we'll need to ensure that systemd has the cryptsetup USE flag enabled (which it does not, by default); this turns on the unit generator for /etc/crypttab, which we'll need. Open a terminal, get root, then issue:
nano -w /etc/portage/package.use
and append the following line:
Save and exit nano; then, rebuild systemd:
emerge --ask --verbose --oneshot sys-apps/systemd
... additional output suppressed ... Would you like to merge these packages? [Yes/No] <press y, then press Enter> ... additional output suppressed ...
Preparing your New Drive
In the below, I'm going to assume you want to use same cryptography settings as those recommended for the main system, earlier in the tutorial (obviously, adapt as appropriate). I will refer to the drive as /dev/sdN; substitute your actual device path as appropriate (/dev/sdc, /dev/sdd etc.). Also, if you wish to encrypt only one partition within the drive, use the relevant value instead (e.g., /dev/sdc1, /dev/sdd1 etc.) You can use the
Disks utility in GNOME, or the lsblk command line utility, to find your device's path.
First, we will create a keyfile, and place this in the root user's home directory, within the (already LUKS-protected) root partition. Issue:
chmod 400 /root/crypt1.key
dd if=/dev/urandom of=/root/crypt1.key bs=512 count=1
to create the key, and make it (read) accessible by the root user only.
We do not gpg-encrypt this keyfile, as we need it to be unlocked automatically. The key 'lives' in a LUKS-protected location already, so this is safe to do.
Now, LUKS-format your new drive:
This will destroy any existing data on the drive! Make sure you have the device path correct before proceeding.
cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --key-file /root/crypt1.key luksFormat /dev/sdN
WARNING! ======== This will overwrite data on /dev/sdN irrevocably. Are you sure? (Type uppercase yes): <double-check this is OK, then type YES and press Enter>
Replace /dev/sdN in the above command (and where used subsequently) with that of your new drive, or, if appropriate, the partition within it (e.g., /dev/sdc, /dev/sdd etc. for a drive; /dev/sdc1, /dev/sdd1 etc. for a partition).
Next, open the encrypted device, using the keyfile:
cryptsetup luksOpen --key-file /root/crypt1.key /dev/sdN crypt1
If that succeeded, the new device will be visible under /dev/mapper (as /dev/mapper/crypt1).
Next, create a filesystem on your unlocked drive.
You can simply create an ext4 or similar filesystem if you like; however, to illustrate the most complex (normal) case, in this example we're going to create an LVM setup, with (arbitrarily) two logical volumes foo and bar on top of /dev/mapper/crypt1, each of 10GiB (and each of which will later be formatted ext4). Obviously, adapt the number of logical volumes, their sizes, and their names to your own requirements.
vgcreate cr1 /dev/mapper/crypt1
lvcreate --size 10G --name foo cr1
lvcreate --size 10G --name bar cr1
vgchange --activate y cr1
to create the physical volume (PV), volume group cr1 (VG) and the foo and bar logical volumes (LVs).
The LVs will be visible (in this case) as /dev/mapper/cr1-foo and /dev/mapper/cr1-bar. They may be treated as any other device - so let's do that now, and format them (adapt to your own requirements):
mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-foo
mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-bar
Close the drive again:
cryptsetup luksClose crypt1
Finally, find the UUID of the new LUKS disk (or partition); issue:
/dev/sdN: UUID="45f1f1af-025b-4395-8a33-7ef0a4709329" TYPE="crypto_LUKS"
Your output will differ from the above. Note down the UUID.
If you have your new LUKS set up on a partition, rather than a whole drive, ignore the PARTUUID, and note the UUID only.
Configuring /etc/crypttab and /etc/fstab
Next, we need to set up the file /etc/crypttab. This file is processed by systemd before /etc/fstab is read, and tells the system which cryptographically protected volumes it should unlock at boot.
For more information about the format of /etc/crypttab, see man crypttab.
nano -w /etc/crypttab
and add the following text to the file (subsituting the UUID you just noted down for the one I have used, obviously):
crypt1 UUID=45f1f1af-025b-4395-8a33-7ef0a4709329 /root/crypt1.key luks
Save and exit nano.
That's it for the encryption side of things; with this in place, systemd will automatically unlock the LUKS container, call it /dev/mapper/crypt1, and then activate any logical volumes within it, and make these available via the device mapper too. This will be done before /etc/fstab is processed, so you are now free to cite these LVs within your /etc/fstab.
For example, let's suppose we wanted to mount the foo LV at /mnt/foo, and bar at /home/bar (these are just examples, obviously, adapt to your own requirements).
We need to create mountpoints, as they don't exist yet, so issue:
mkdir -pv /mnt/foo /home/bar
Then add the entries to /etc/fstab to have them mounted. Issue:
nano -w /etc/fstab
and then append (for our example, adapt to your own requirements):
/dev/mapper/cr1-foo /mnt/foo ext4 defaults 0 2 /dev/mapper/cr1-bar /home/bar ext4 defaults 0 2
Save and exit nano.
For more information about the format of /etc/fstab, see man fstab.
That's it! Next time you reboot, you should have access to your new protected LVs!