20
Question about cryptsetup, LUKS and auto-mounting an SD at boot (lemm.ee)
submitted 2 weeks ago* (last edited 2 weeks ago) by iturnedintoanewt@lemm.ee to c/linux@lemmy.world
11 comments fedilink hide all child comments

Hi guys!

I have a Surface laptop, which I want to use again with a microSD as external storage. Since this can be easily pulled off from the laptop, I want it to be encrypted. This was encrypted before, but eventually the SD failed, and I'm trying to recreate what I had...without much success.

Steps so far... Create the LUKS volume:

#cryptsetup luksFormat /dev/sda

Format in ext4 (I believe it was in Exfat with the old SD?):

#cryptsetup open /dev/sda encrypted
#mkfs.ext4 /dev/mapper/encrypted

That should do it regarding the volume creation. Now comes what I can't quite get working. I created a pw txt file within my home folder:

/home/user/EncryptedSD.txt

Then I refer to this via /etc/crypttab at boot:

encrypted /dev/sda /home/user/EncryptedSD.txt

And my /etc/fstab should attempt to mount this on the spot:

/dev/mapper/encrypted /media/SDCard ext4 auto,nofail,rw

However, as this is set, I'm being prompted halfway through boot for the password. And I can't type anything onto that field. Not that it matters, as it's a really long randomly generated password, no way I could remember it.

Even if I managed to make it go through boot, I'm still prompted for mounting the drive when I clicked on it, and I'm also prompted for the password, so clearly something's not quite there yet. Any ideas? I intend to sync a series of network folders to this drive, so not being ready can make it a bit messier to sync at boot.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[-] bjoern_tantau@swg-empire.de 3 points 2 weeks ago

I'm not sure about the details but as far as I know luks has a long internal key that is used to encrypt the whole drive. This master key is encrypted with your passphrase and that encrypted key is stored on the drive.

When you add a file as a key the master key is encrypted using the binary contents of that file and stored as well. The contents of the file are basically an additional pass phrase.

So when it tries to decrypt the drive at boot it first tries to use the key file you give it. When that fails it asks for the pass phrase.

When you made the file EncryptedSD.txt it did not contain the same binary data as the pass phrase you created. Probably due to an additional newline or two. To get around that you add the whole file as it is as a valid decryption key.

Often people might create an extra long key on an extra USB stick. Or if you want to decrypt the drive automatically with the option of setting up a pass phrase later you can initially create the volume only with a key file stored on the boot drive or so.

[-] iturnedintoanewt@lemm.ee 3 points 2 weeks ago* (last edited 2 weeks ago)

...I think you have something here. If I create a random password and save it via nano on a brand new file, and use this file as passphrase during the initial creation...it then doesn't let me open the encrypted device. It says no key available with this passphrase. When you input the cryptsetup open, you're only allowed to manually type the passphrase (it no longer accepts a file with the passphrase, I think). Curiously, both the file and the passphrase I type manually...are pasted from the clipboard from the same password randomly generated on bitwarden and then copied to the clipboard. And yet, it seems something doesn't match.

EDIT: Seems when you 'open' with a file, the appropiate way is cryptsetup luksOpen /dev/sda encrypted --key-file /home/user/encryptedSD.txt

this post was submitted on 07 Apr 2025
20 points (100.0% liked)

Linux

9887 readers
27 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world