From c25f462e15af5f2fe9aefc49f338821f7d5ef435 Mon Sep 17 00:00:00 2001
From: tengel <tengel@xyzzy.ee>
Date: Wed, 20 Mar 2024 11:55:03 -0500
Subject: [PATCH] Add 'LUKS Encrypted Partitions'

---
 LUKS-Encrypted-Partitions.md | 96 ++++++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 LUKS-Encrypted-Partitions.md

diff --git a/LUKS-Encrypted-Partitions.md b/LUKS-Encrypted-Partitions.md
new file mode 100644
index 0000000..d693e2c
--- /dev/null
+++ b/LUKS-Encrypted-Partitions.md
@@ -0,0 +1,96 @@
+Generic `/home` encrypted partition
+
+**luks_home.sh**
+```
+# /dev/sda2 -> /home
+# installed packages: cryptsetup keyutils
+# loaded modules: dm_crypt
+
+cp -a /home/* /srv/
+umount /home
+
+cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda2
+cryptsetup luksOpen /dev/sda2 chome
+mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/chome
+blkid
+
+mount /dev/mapper/chome /home
+cp -a /srv/* /home/
+
+vim /etc/crypttab
+# chome  UUID=xx-yy-zz  none  luks,timeout=60,discard
+
+vim /etc/fstab
+# /dev/mapper/chome  /home  ext4  rw,relatime  0 2
+```
+
+Manual LUKS partition opened after boot (remote SSH)
+
+**opendata.sh**
+```
+#!/usr/bin/env bash
+#
+# /dev/sda3 -> /data
+# installed packages: cryptsetup keyutils
+# loaded modules: dm_crypt
+#
+# prep/test:
+#  cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda3
+#  cryptsetup luksOpen /dev/sda3 cdata
+#  mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/cdata
+#  mkdir /data
+#  mount /dev/mapper/cdata /data
+#  umount /data
+#  cryptsetup luksClose cdata
+
+_DEV=/dev/sda3
+_LUKS=cdata
+_MOUNT=/data
+
+# LUKS
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksOpen ${_DEV} ${_LUKS}
+fi
+# mount
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  echo "luksOpen failed"
+  exit 1
+else
+  if ! mountpoint -q ${_MOUNT}; then
+    sudo mount /dev/mapper/${_LUKS} ${_MOUNT}
+  fi
+fi
+# verify
+if mountpoint -q ${_MOUNT}; then
+  df -h ${_MOUNT}
+else
+  echo "mount failed"
+fi
+```
+
+Manual LUKS partition close
+
+**closedata.sh**
+```
+#!/usr/bin/env bash
+
+_LUKS=cdata
+_MOUNT=/data
+
+# mount
+if mountpoint -q ${_MOUNT}; then
+  sudo umount ${_MOUNT}
+  if mountpoint -q ${_MOUNT}; then
+    echo "umount failed"
+    exit 1
+  fi
+fi
+# LUKS
+if [[ -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksClose ${_LUKS}
+  if [[ -e /dev/mapper/${_LUKS} ]]; then
+    echo "luksClose failed"
+    exit 1
+  fi
+fi
+```
\ No newline at end of file