20
Question about cryptsetup, LUKS and auto-mounting an SD at boot (lemm.ee)
submitted 2 months ago* (last edited 2 months ago) by iturnedintoanewt@lemm.ee to c/linux@lemmy.world
7 comments fedilink hide all child comments

Hi guys!

I have a Surface laptop, which I want to use again with a microSD as external storage. Since this can be easily pulled off from the laptop, I want it to be encrypted. This was encrypted before, but eventually the SD failed, and I'm trying to recreate what I had...without much success.

Steps so far... Create the LUKS volume:

#cryptsetup luksFormat /dev/sda

Format in ext4 (I believe it was in Exfat with the old SD?):

#cryptsetup open /dev/sda encrypted
#mkfs.ext4 /dev/mapper/encrypted

That should do it regarding the volume creation. Now comes what I can't quite get working. I created a pw txt file within my home folder:

/home/user/EncryptedSD.txt

Then I refer to this via /etc/crypttab at boot:

encrypted /dev/sda /home/user/EncryptedSD.txt

And my /etc/fstab should attempt to mount this on the spot:

/dev/mapper/encrypted /media/SDCard ext4 auto,nofail,rw

However, as this is set, I'm being prompted halfway through boot for the password. And I can't type anything onto that field. Not that it matters, as it's a really long randomly generated password, no way I could remember it.

Even if I managed to make it go through boot, I'm still prompted for mounting the drive when I clicked on it, and I'm also prompted for the password, so clearly something's not quite there yet. Any ideas? I intend to sync a series of network folders to this drive, so not being ready can make it a bit messier to sync at boot.

Thanks!

all 11 comments
sorted by: hot top controversial new old
[-] bjoern_tantau@swg-empire.de 5 points 2 months ago* (last edited 2 months ago)

You have to add the file as a key file. Just adding the password to the file isn't enough.

cryptsetup luksAddKey /home/user/EncryptedSD.txt /dev/sda
[-] dengtav@lemmy.ml 3 points 2 months ago

Just partly related, and probably no help here - but about the fact, that you can't type in that password (regardless whether you can remember it or not):

you probably use a bluetooth keyboard on that surface? Before boot is finished, bluetooth connection is not possible, so you need some sort of USB/serial keyboard to even type.

Had this issue when full disk encrypting a surface, because without usb (or the original serial) keyboard your stuck in the luks mount process during boot...

[-] JubilantJaguar@lemmy.world 3 points 2 months ago

Since this can be easily pulled off from the laptop, I want it to be encrypted

And the laptop can be easily pulled off the desk so you might want that encrypted too.

[-] gerowen@lemmy.world 1 points 2 months ago* (last edited 2 months ago)

Key files should be key files that are associated with the device encryption, not just the password stored on a text file.

https://www.cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux/

this post was submitted on 07 Apr 2025
20 points (100.0% liked)

Linux

11110 readers
12 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world