Mount LUKS encrypted hard drive at boot
Solution 1
A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.
To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to
hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks
and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.
Solution 2
Does it work if you replace "defaults" in fstab with
rw,suid,dev,exec,auto,user,async,relatime
(According to the mount man page, it's the same as "defaults" except for "user".)
Solution 3
Make sure the hddencrypted partition is listed after the home partition, in both /etc/fstab and /etc/crypttab. As the crypttab (5) manpage states:
The order of records in crypttab is important because the init scripts sequentially iterate through crypttab doing their thing.
Also you could try adding the noearly option to the latter partition in /etc/crypttab:
hddencrypted UUID=<...> /home/[USERNAME]/.keyfiles/key_luks luks,noearly
In a normal situation, you could indicate that the home partition must be mounted first by adding it to CRYPTDISKS_MOUNT in /etc/default/cryptdisks, but since it is itself encrypted, I have a feeling that would not be a good idea.
Related videos on Youtube
05 : 43
21 : 45
09 : 16
02 : 57
03 : 02
zeugor
Updated on September 18, 2022Comments
-
zeugor over 1 year
I have Xubuntu 14.04 on a SSD device (the HOME was encrypted correctly during intallation), additionally I have a HDD with a encrypted partition with extra data which I would like to mount in /mnt/hdd. For making these I followed the next steps:
(Previously I had encrypted the disk with LUKS following this post http://www.marclewis.com/2011/04/02/luks-encrypted-disks-under-ubuntu-1010/)
Check the UUID
sudo blkid /dev/sda1: UUID="b3024cc1-93d1-439f-80ce-1b1ceeafda1e" TYPE="crypto_LUKS"Make a keyfile with the right passphrase and save it in my HOME (which is also encrypted).
sudo dd if=/dev/urandom of=/home/[USERNAME]/.keyfiles/key_luks bs=1024 count=4 sudo chmod 0400 .keyfiles/key_luksAdd the key
sudo cryptsetup luksAddKey /dev/sda1 /home/zeugor/.keyfiles/key_luksNew entry in /etc/crypttab
hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e /home/[USERNAME]/.keyfiles/key_luks luksUpdate the initial ramdisk
sudo update-initramfs -u -k allThen, to test it, I used the follow command to start cryptdisks:
sudo cryptdisks_start hddencrypted * Starting crypto disk... * hddencrypted (starting).. * hddencrypted (started)...To check hddencrypted was mapped:
ls /dev/mapper/ control hddencryptedCreate a mount point
mkdir /mnt/hddNew entry in /etc/fstab
/dev/mapper/hddencrypted /mnt/hdd ext4 defaults 0 2Validate fstab without reboot:
sudo mount -aMount the encrypted partition on boot
Now I have mount it in/mnt/hdd as I proposed. But I wold like to make this automatically after reboot. But before I can log in, I get this error:
the disk drive for /mnt/hdd is not ready yet or not permitAll this makes me think that /etc/crypttab can't access to the keyfile which is located in my HOME (other encrypted partition). I don't know the order which the system follows to unencrypted and mounts the units. My HOME should be unencrypted before my HDD for giving access to read the keyfile.
I would appreciate any insight as to why this happens.
UPDATE: If I locate the keyfile in /boot (no encrypted), instead of in my /home/[USERNAME] (encrypted) the /dev/sda1 and update the entry in /etc/crypttab is perfectly mounted on boot time.
-
Admin over 9 yearsHow is/home/$USERencrypted? A full disk encryption like LUKS or based of ecryptfs?
-
-
Christian Wolf about 8 yearsThis will not work as ubuntu tries to decrypt all partitions and then mount them. Thus the key file will not be available.
-
Jacobra over 5 yearscombining @solt87's answer and this answer would complete this answer.
-
xenoid about 4 yearsAs of 2020 (Ubuntu 19.10) this works (noearlywasn't even necessary). I put the keyfile in /etc/luks (the main disk is also LUKS encrypted) . -
interoception almost 3 yearsIt's effective if the boot drive is also encrypted, correct?
-
Dominik almost 3 yearsYes, if the boot drive is also encrypted, it is effective. But then, you need a key/password for your /boot partition. Where to put this key?
