Sakaki's EFI Install Guide/Extending LUKS to Protect an Additional Drive

From Gentoo Wiki
Jump to: navigation, search


In this mini-guide, we'll show how to easily extend your LUKS protection to cover an additional drive (or drives) on your system. This is most useful with desktop machines, where you may have multiple hard drives installed.

Note
If you simply wish to protect a removable drive (such as a USB key), it's easier to rely on the tools already in GNOME; you can use the Disks utility to format your drive with encryption (see this guide, for example), and then have it unlocked automatically (assuming you are logged in) on insertion (to do so, just opt to allow GNOME to remember your passphrase for the drive, when first prompted).

Prerequisites

To carry this out, you will need:

  • to have an operational systemd/EFI Gentoo system, which you have set up per the text of the main guide (you don't need to have installed GNOME, however); and
  • a secondary drive (or partition) that you would like to protect with LUKS, and have automatically mounted on boot.

Preparing systemd

First, we'll need to ensure that systemd has the cryptsetup USE flag enabled (which it does not, by default); this turns on the unit generator for /etc/crypttab, which we'll need. Open a terminal, get root, then issue:

root #nano -w /etc/portage/package.use

and append the following line:

FILE /etc/portage/package.useAppend this line to enable the crypttab unit generator
sys-apps/systemd  cryptsetup

Save and exit nano; then, rebuild systemd:

root #emerge --ask --verbose --oneshot sys-apps/systemd
... additional output suppressed ...
Would you like to merge these packages? [Yes/No] <press y, then press Enter>
... additional output suppressed ...

Preparing your New Drive

In the below, I'm going to assume you want to use same cryptography settings as those recommended for the main system, earlier in the tutorial (obviously, adapt as appropriate). I will refer to the drive as /dev/sdN; substitute your actual device path as appropriate (/dev/sdc, /dev/sdd etc.). Also, if you wish to encrypt only one partition within the drive, use the relevant value instead (e.g., /dev/sdc1, /dev/sdd1 etc.) You can use the Disks utility in GNOME, or the lsblk command line utility, to find your device's path.

First, we will create a keyfile, and place this in the root user's home directory, within the (already LUKS-protected) root partition. Issue:

root #touch /root/crypt1.key
root #chmod 400 /root/crypt1.key
root #dd if=/dev/urandom of=/root/crypt1.key bs=512 count=1

to create the key, and make it (read) accessible by the root user only.

Note
We do not gpg-encrypt this keyfile, as we need it to be unlocked automatically. The key 'lives' in a LUKS-protected location already, so this is safe to do.

Now, LUKS-format your new drive:

Warning
This will destroy any existing data on the drive! Make sure you have the device path correct before proceeding.
root #cryptsetup --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --key-file /root/crypt1.key luksFormat /dev/sdN

WARNING!
========
This will overwrite data on /dev/sdN irrevocably.

Are you sure? (Type uppercase yes): <double-check this is OK, then type YES and press Enter>
Note
Replace /dev/sdN in the above command (and where used subsequently) with that of your new drive, or, if appropriate, the partition within it (e.g., /dev/sdc, /dev/sdd etc. for a drive; /dev/sdc1, /dev/sdd1 etc. for a partition).

Next, open the encrypted device, using the keyfile:

root #cryptsetup luksOpen --key-file /root/crypt1.key /dev/sdN crypt1

If that succeeded, the new device will be visible under /dev/mapper (as /dev/mapper/crypt1).

Next, create a filesystem on your unlocked drive.

Note
You can simply create an ext4 or similar filesystem if you like; however, to illustrate the most complex (normal) case, in this example we're going to create an LVM setup, with (arbitrarily) two logical volumes foo and bar on top of /dev/mapper/crypt1, each of 10GiB (and each of which will later be formatted ext4). Obviously, adapt the number of logical volumes, their sizes, and their names to your own requirements.

Issue:

root #pvcreate /dev/mapper/crypt1
root #vgcreate cr1 /dev/mapper/crypt1
root #lvcreate --size 10G --name foo cr1
root #lvcreate --size 10G --name bar cr1
root #vgchange --activate y cr1

to create the physical volume (PV), volume group cr1 (VG) and the foo and bar logical volumes (LVs).

The LVs will be visible (in this case) as /dev/mapper/cr1-foo and /dev/mapper/cr1-bar. They may be treated as any other device - so let's do that now, and format them (adapt to your own requirements):

root #mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-foo
root #mkfs.ext4 -m 0 -L "test" /dev/mapper/cr1-bar

Close the drive again:

root #cryptsetup luksClose crypt1

Finally, find the UUID of the new LUKS disk (or partition); issue:

root #blkid /dev/sdN
/dev/sdN: UUID="45f1f1af-025b-4395-8a33-7ef0a4709329" TYPE="crypto_LUKS"

Your output will differ from the above. Note down the UUID.

Note
If you have your new LUKS set up on a partition, rather than a whole drive, ignore the PARTUUID, and note the UUID only.

Configuring /etc/crypttab and /etc/fstab

Next, we need to set up the file /etc/crypttab. This file is processed by systemd before /etc/fstab is read, and tells the system which cryptographically protected volumes it should unlock at boot.

Note
For more information about the format of /etc/crypttab, see man crypttab.

Issue:

root #nano -w /etc/crypttab

and add the following text to the file (subsituting the UUID you just noted down for the one I have used, obviously):

FILE /etc/crypttabSpecifying a LUKS volume to automatically unlock at boot
crypt1  UUID=45f1f1af-025b-4395-8a33-7ef0a4709329  /root/crypt1.key  luks

Save and exit nano.

That's it for the encryption side of things; with this in place, systemd will automatically unlock the LUKS container, call it /dev/mapper/crypt1, and then activate any logical volumes within it, and make these available via the device mapper too. This will be done before /etc/fstab is processed, so you are now free to cite these LVs within your /etc/fstab.

For example, let's suppose we wanted to mount the foo LV at /mnt/foo, and bar at /home/bar (these are just examples, obviously, adapt to your own requirements).

We need to create mountpoints, as they don't exist yet, so issue:

root #mkdir -pv /mnt/foo /home/bar

Then add the entries to /etc/fstab to have them mounted. Issue:

root #nano -w /etc/fstab

and then append (for our example, adapt to your own requirements):

FILE /etc/fstabAppend, to specify mountpoints for our newly created LVs
/dev/mapper/cr1-foo    /mnt/foo    ext4    defaults    0 2
/dev/mapper/cr1-bar    /home/bar   ext4    defaults    0 2

Save and exit nano.

Note
For more information about the format of /etc/fstab, see man fstab.

That's it! Next time you reboot, you should have access to your new protected LVs!

To rejoin the main guide, click here (systemd) or here (OpenRC).