Image

Knowledge base → Automatic mounting of encrypted Luks file

[Virtual servers]
Date of publication: 20.01.2024

In the article Creating an encrypted disk on VDS Linux we described how create an encrypted file and mount it as a disk. In that example, to connect, we enter a password each time and after working with files, we disable it. This method of work provides a high level of security when working with data.

On the downside, the password we enter every time can be intercepted if all actions are recorded on the PC from which the password is entered. (key logger installed)

In this example, we will show you how to automatically mount an encrypted file and mount the disk every time the server boots, using a key file.

1. Create a key file

dd if=/dev/urandom of=/root/random_data_keyfile1 bs=1024 count=4

1.1 Let's assign rights only to root

chmod 0400 /root/random_data_keyfile1

1.2 Add a key file to our encrypted file

cryptsetup luksAddKey /root/crypt-drive /root/random_data_keyfile1

Enter any existing passphrase:

2. Add a configuration for automatic connection

2.1 File /etc/crypttab

# <target name> <source device> <key file> <options>
crypto-my /root/crypt-drive /root/random_data_keyfile1 luks,discard

If you delete the key file and reboot the server, at the boot stage you will be prompted to enter the password for the encrypted file, but there is no access to the server over the network at this stage. After entering the password correctly, the server will continue loading, including network services.

2.1.1 To ensure that the server continues to boot if the key file is missing, add the timeout option

# <target name> <source device> <key file> <options>
crypto-my /root/crypt-drive /root/random_data_keyfile1 luks,discard,timeout=30

Now entering a password if there is no key file will wait 30 seconds, after which the server will continue loading and will be accessible over the network. ​

2.2 File /etc/fstab

...
/dev/mapper/crypto-my /mnt/crypt-volume ext4 defaults 0 0

Done, you can reboot the server and check.

df -h

Filesystem Size Used Avail Use% Mounted on
udev 962M 0 962M 0% /dev
tmpfs 197M 504K 197M 1% /run
/dev/sda1 62G 2.7G 56G 5% /
tmpfs 984M 0 984M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/mapper/crypto-my 974M 72K 908M 1% /mnt/crypt-volume
tmpfs 197M 0 197M 0% /run/user/0

This method has its downside, since when you gain physical access to the server, it will be possible to reset the root password, and since the key file is stored on the server, you will be able to access the data in the encrypted partition.





No Comments Yet