Disk encryption with LUKS

I would like to encrypt a partition where I keep data. This is a separate physical device to the HD where the OS is installed.

Does anyone have a link for a guide on how to do this with LUKS? I can find guidance for encrypting the OS partition, and how to do it when installing the OS, but little about how to do it afterwards (I do not want to re-install).

As an aside, does anyone have any opinion if LUKS is the best way to achieve this? I have also used Truecrypt but LUKS seems more “integrated”.

Thanks

When I first did this, I used:

fdisk

to partition the disk. And then, assuming that the newly created partition was “/dev/sdb1”, I used:

cryptsetup luksFormat /dev/sdb1 cr_data

to encrypt it.

However, you might find it easier to just use:
Yast → System → Expert Partitioner
There, you can partition as needed and set the new partition to be encrypted.

1 Like

You can use gnome-disks for that. Simply create a new partition and select encrypt with luks as an option

Thanks. How do I then use the partition?

I would like to be prompted for the password at boot, and then to mount the partition automatically.

I know the latter is done in fstab, but obviously it would need to unlock the partition before mounting…

You need an entry in “/etc/crypttab” so be prompted at boot time. And then an entry in “/etc/fstab” for mounting.

If you use Yast Expert Partitioner, it will take care of both of those. Just be sure to tell the partitioner to mount the disk partition.

Curious about the naming convention, is the cr for customer? :thinking:

“cr” is for “crypto”.

1 Like

I use the Yast partitioner to encrypt external hard drive partitions. I have made no changes to the /etc configuration files, and when I plug in the external drive and access the partition in the Dolphin file manager, I get prompted for the partition password. Actually, I get prompted for the default KDE kwallet password, where the password is not stored, then I get prompted for the partition password.

In general, this “just works”. However, there was a recent bug (now fixed) in Tumbleweed that temporarily broke this functionality:
https://bugzilla.opensuse.org/show_bug.cgi?id=1222980

Oh yes, you did. You did probably not use a mere text editor to do the changes, but you used YaST. YaST is only a tool that helps you in doing the edits, etc. correct. So you, as system manager, changes things in /etc , else it would not “work”.

@hcvv

Ok, I have no knowledge of making any edits to /etc.

I currently have an external hard drive with encrypted partition mounted, and there is no corresponding entry in either /etc/fstab or /etc/crypttab.

The drive partition gets mounted at /run/media/username/[device-hash].

That is a mount on behalf of the desktop done for the user. Every time you connect the device, it is as something new to the system.
Thus you used YaST only for the partitioning and the creation of the file system. All things that only have influence on the device itself (and that could have been done on another system because there is no fixed relation between the device and the system). You did not use it to see that it is mounted on boot, which then would lead to an entry in /etc/fstab, the eventual creation of the mount point and, for encryption, the entry in /etc/crypttab. So yes, you did not change anything in /etc, but you did not need that because your case is different.

The OP is after a “normal” file system, to be part of the system (no logged in user needed). Typical something to be configured in /etc/fstab (as all other file systems that belong to the system). The only extra he wants is encryption. Which then is configured in /etc/crypttab. And YaST is a great help in doing that correct with minimal fuzz.

1 Like

OK, so I have encrypted the partition and made the entry in crypttab so I am prompted for the password on boot.

However, how do I then automatically mount the volume? I have made the obvious entry in fstab, but the system falls to emergency mode on boot as (I presume) it tries to mount the partition before the password has been entered?

Note - if I remove the fstab entry, I can then manually mount the partition when booted - so the encryption part seems to be working OK.

As you did not show this entry, there is no way to guess why it did not work.

UUID=xxxx /mnt/mointpoint ext4 defaults 0 0

So does UUID xxxx exist and does directory /mnt/mountpoint exist?

sudo blkid | grep xxxx
ls -ld /mnt/moutpoint

You need to be careful when mounting by UUID.

For a LUKS partition, there are two UUIDs. There is a LUKS UUID which is visible before decryption, and can be used in “/etc/crypttab”. There is a separate file system UUID, created when the file system was created as “ext4”. It is the second of those UUIDs that you need in “/etc/fstab”. That UUID will show up in “blkid” for a device in “/dev/mapper/”

Yes they do.

BLKID is not showing any device in /dev/mapper.

But, there is something there:

ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Jun 21 17:01 control
lrwxrwxrwx 1 root root 7 Jun 21 17:02 luks → …/dm-0

So, should I mount /dev/mapper/dm-0 in fstab?

I generally prefer to use UUIDs as I have found that the devices assigned to /sda /sdb etc. can vary and give problems.

/dev/mapper/dm-0 /mnt/mointpoint ext4 defaults 0 0

Does not work. I get the following at boot:

A start job is running for /dev/mapper/dm-0 (and then have to wait 1m30s)

Then get:

[TIME] Timed out waiting for device /dev/mapper/dm-0
[DEPEND] Dependency failed for /mnt/mointpoint

Then the system goes into emergency mode.

I suggest that you add “noauto” as an option on the “fstab” line. That will avoid emergency mode. You can then try manually mounting with just:

mount /mnt/mountpoint

This will allow experimenting until you get it right.

There should be a device file “/dev/mapper/some-name”. Here “some-name” will be the name that you used in “/etc/crypttab”.

You can then try:

blkid /dev/mapper/some-name

to find the correct UUID.