Add 'LUKS Encrypted Partitions'

LUKS-Encrypted-Partitions.md

@@ -0,0 +1,96 @@
+Generic `/home` encrypted partition
+
+**luks_home.sh**
+```
+# /dev/sda2 -> /home
+# installed packages: cryptsetup keyutils
+# loaded modules: dm_crypt
+
+cp -a /home/* /srv/
+umount /home
+
+cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda2
+cryptsetup luksOpen /dev/sda2 chome
+mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/chome
+blkid
+
+mount /dev/mapper/chome /home
+cp -a /srv/* /home/
+
+vim /etc/crypttab
+# chome  UUID=xx-yy-zz  none  luks,timeout=60,discard
+
+vim /etc/fstab
+# /dev/mapper/chome  /home  ext4  rw,relatime  0 2
+```
+
+Manual LUKS partition opened after boot (remote SSH)
+
+**opendata.sh**
+```
+#!/usr/bin/env bash
+#
+# /dev/sda3 -> /data
+# installed packages: cryptsetup keyutils
+# loaded modules: dm_crypt
+#
+# prep/test:
+#  cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda3
+#  cryptsetup luksOpen /dev/sda3 cdata
+#  mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/cdata
+#  mkdir /data
+#  mount /dev/mapper/cdata /data
+#  umount /data
+#  cryptsetup luksClose cdata
+
+_DEV=/dev/sda3
+_LUKS=cdata
+_MOUNT=/data
+
+# LUKS
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksOpen ${_DEV} ${_LUKS}
+fi
+# mount
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  echo "luksOpen failed"
+  exit 1
+else
+  if ! mountpoint -q ${_MOUNT}; then
+    sudo mount /dev/mapper/${_LUKS} ${_MOUNT}
+  fi
+fi
+# verify
+if mountpoint -q ${_MOUNT}; then
+  df -h ${_MOUNT}
+else
+  echo "mount failed"
+fi
+```
+
+Manual LUKS partition close
+
+**closedata.sh**
+```
+#!/usr/bin/env bash
+
+_LUKS=cdata
+_MOUNT=/data
+
+# mount
+if mountpoint -q ${_MOUNT}; then
+  sudo umount ${_MOUNT}
+  if mountpoint -q ${_MOUNT}; then
+    echo "umount failed"
+    exit 1
+  fi
+fi
+# LUKS
+if [[ -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksClose ${_LUKS}
+  if [[ -e /dev/mapper/${_LUKS} ]]; then
+    echo "luksClose failed"
+    exit 1
+  fi
+fi
+```