LUKS Encrypted Partitions

Generic /home encrypted partition

luks_home.sh

# /dev/sda2 -> /home
# installed packages: cryptsetup keyutils
# loaded modules: dm_crypt

cp -a /home/* /srv/
umount /home
touch /home/.undermnt

cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 chome
mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/chome
blkid /dev/sda2

mount /dev/mapper/chome /home
cp -a /srv/* /home/

vim /etc/crypttab
# chome  UUID=xx-yy-zz  none  luks,timeout=60,discard

vim /etc/fstab
# /dev/mapper/chome  /home  ext4  rw,relatime  0 2

Manual LUKS partition opened after boot (remote SSH)

opendata.sh

#!/usr/bin/env bash
#
# /dev/sda3 -> /data
# installed packages: cryptsetup keyutils
# loaded modules: dm_crypt
#
# prep/test:
#  cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda3
#  cryptsetup luksOpen /dev/sda3 cdata
#  mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/cdata
#  mkdir /data
#  mount /dev/mapper/cdata /data
#  umount /data
#  cryptsetup luksClose cdata

_DEV=/dev/sda3
_LUKS=cdata
_MOUNT=/data

# LUKS
if [[ ! -e /dev/mapper/${_LUKS} ]]; then
  sudo cryptsetup luksOpen ${_DEV} ${_LUKS}
fi
# mount
if [[ ! -e /dev/mapper/${_LUKS} ]]; then
  echo "luksOpen failed"
  exit 1
else
  if ! mountpoint -q ${_MOUNT}; then
    sudo mount /dev/mapper/${_LUKS} ${_MOUNT}
  fi
fi
# verify
if mountpoint -q ${_MOUNT}; then
  df -h ${_MOUNT}
else
  echo "mount failed"
fi

Manual LUKS partition close

closedata.sh

#!/usr/bin/env bash

_LUKS=cdata
_MOUNT=/data

# mount
if mountpoint -q ${_MOUNT}; then
  sudo umount ${_MOUNT}
  if mountpoint -q ${_MOUNT}; then
    echo "umount failed"
    exit 1
  fi
fi
# LUKS
if [[ -e /dev/mapper/${_LUKS} ]]; then
  sudo cryptsetup luksClose ${_LUKS}
  if [[ -e /dev/mapper/${_LUKS} ]]; then
    echo "luksClose failed"
    exit 1
  fi
fi

Index

SPDX-License-Identifier: CC-BY-SA-4.0
SPDX-License-Identifier: MIT