Cool Solution - Create and auto-mount encrypted devices
From Univention Wiki
In this cool solution we will explain how to encrypt a drive, mount it and configure UCS to automatically mount it.
To automatically unlock and mount the drive on boot you need a keyfile to open the encrypted device. Simply choose a password or generate a random one and put in a hidden file.
Change the privileges on that file then, so that only root can read it:
chmod 0400 /path/to/keyfile
Encrypt the drive
First you need to install cryptsetup
univention-install cryptsetupNow we will encrypt the device /dev/vdb. To get a list of drives you can use
lsblk. You should use an entirely empty drive for this process, since files stored on it before could still be recovered after encryption, unless the drive is completely overwritten with 0s or random numbers once and of course it will be formatted in the next step.
Encrypt the drive and format it. You will be prompted for a password, but we will use a keyfile to open the device later on for automatically mounting it on system boot.
cryptsetup --verbose -c aes-cbc-essiv:sha256 -y luksFormat <device>
If we would want to encrypt /dev/vdb the command would look as follows:
cryptsetup --verbose -c aes-cbc-essiv:sha256 -y luksFormat /dev/vdb
Add your key file to LUKS
cryptsetup luksAddKey <device> <keyfile>
Once this is finished, we can open the encrypted drive:
cryptsetup luksOpen <drive location> <drive name>
For our vdb drive the command would look as follows:
cryptsetup luksOpen /dev/vdb vdb
"vdb" is the name the device will be given below /dev/mapper.
We can now create a filesystem on this drive and will use ext4 for this example:
Once this has finished, you can mount the drive and use it!
mount /dev/mapper/<drive name> <mount point>
Verify encryption of the device
To verify that the device has been encrypted you can use blkid.
This should output a line similar to this:
/dev/vdb: UUID="057fdb62-d407-4705-a029-5120e9048d7c" TYPE="crypto_LUKS"
If the "TYPE" is "crypto_LUKS", the device is considered encrypted.
Automatically mount encrypted drives on system start
Of course always mounting the drive manually on system boot is not sufficient, thus we will show you how to do this automatically using crypttab and fstab now.
First we need to modify crypttab, so that our device can be found and mounted by fstab later. Always use tabs between the entries instead of spaces, otherwise this will most likely not work correctly
Add a line to /etc/crypttab with your device:
<name to be mapped to> <device> <keyfile> luks
If we want to map /dev/vdb to /dev/mapper/enc with the keyfile /root/super.secret, our file would look as follows
enc /dev/vdb /root/super.secret luks
Now we have to edit fstab to automount the device on boot. Add a new line for your device:
/dev/mapper/<name the device is mapped to by crypttab> <mount point> <file system> defaults 0 2
So if we wanted to mount /dev/mapper/enc with ext4 as file system to /root/enc, our line would look as follows:
/dev/mapper/enc /root/enc ext4 defaults 0 2