I would like to encrypt a partition where I keep data. This is a separate physical device to the HD where the OS is installed.
Does anyone have a link for a guide on how to do this with LUKS? I can find guidance for encrypting the OS partition, and how to do it when installing the OS, but little about how to do it afterwards (I do not want to re-install).
As an aside, does anyone have any opinion if LUKS is the best way to achieve this? I have also used Truecrypt but LUKS seems more “integrated”.
to partition the disk. And then, assuming that the newly created partition was “/dev/sdb1”, I used:
cryptsetup luksFormat /dev/sdb1 cr_data
to encrypt it.
However, you might find it easier to just use:
Yast → System → Expert Partitioner
There, you can partition as needed and set the new partition to be encrypted.
I use the Yast partitioner to encrypt external hard drive partitions. I have made no changes to the /etc configuration files, and when I plug in the external drive and access the partition in the Dolphin file manager, I get prompted for the partition password. Actually, I get prompted for the default KDE kwallet password, where the password is not stored, then I get prompted for the partition password.
Oh yes, you did. You did probably not use a mere text editor to do the changes, but you used YaST. YaST is only a tool that helps you in doing the edits, etc. correct. So you, as system manager, changes things in /etc , else it would not “work”.
That is a mount on behalf of the desktop done for the user. Every time you connect the device, it is as something new to the system.
Thus you used YaST only for the partitioning and the creation of the file system. All things that only have influence on the device itself (and that could have been done on another system because there is no fixed relation between the device and the system). You did not use it to see that it is mounted on boot, which then would lead to an entry in /etc/fstab, the eventual creation of the mount point and, for encryption, the entry in /etc/crypttab. So yes, you did not change anything in /etc, but you did not need that because your case is different.
The OP is after a “normal” file system, to be part of the system (no logged in user needed). Typical something to be configured in /etc/fstab (as all other file systems that belong to the system). The only extra he wants is encryption. Which then is configured in /etc/crypttab. And YaST is a great help in doing that correct with minimal fuzz.
OK, so I have encrypted the partition and made the entry in crypttab so I am prompted for the password on boot.
However, how do I then automatically mount the volume? I have made the obvious entry in fstab, but the system falls to emergency mode on boot as (I presume) it tries to mount the partition before the password has been entered?
Note - if I remove the fstab entry, I can then manually mount the partition when booted - so the encryption part seems to be working OK.
For a LUKS partition, there are two UUIDs. There is a LUKS UUID which is visible before decryption, and can be used in “/etc/crypttab”. There is a separate file system UUID, created when the file system was created as “ext4”. It is the second of those UUIDs that you need in “/etc/fstab”. That UUID will show up in “blkid” for a device in “/dev/mapper/”