In my last article I had shared the steps to encrypt a partition using LUKS. Now in this article I will continue with LUKS and will share the steps to mount LUKS device with and without encrypt key during boot up of the Linux node.

Before we start I will again give some overview on LUKS.

This is what LUKS does:

  • The entire block device can be encrypted using LUKS; it’s well suited for protecting the data on removable storage media or the laptop disk drives
  • LUKS uses the existing device mapper kernel subsystem
  • It also provides passphrase strengthening, which helps protect against dictionary attacks

Let us start with the demonstration of disk encryption in Linux using LUKS

How to auto mount LUKS encrypted partition using key at boot in Linux

 

Mount LUKS device using fstab without key (prompts for passphrase)

From our last article we already have an encrypted partition /dev/sdb1, Now you can manually mount the encrypted partition every time node boots or you can use fstab to automatically mount the partitions during boot stage.

IMPORTANT NOTE:
If you perform this activity without using encrypt key then the reboot will halt with a user prompt asking for passphrase to mount the luks device.

Add below entry to your /etc/fstab

/dev/mapper/secret      /secret                 ext4    defaults        0 0

 

Next add below entry to /etc/crypttab. Here we are providing the LUKS device name, the mapped partition and the key file location. But since at this stage we have not created any key file, we will put it as none.

secret  /dev/sdb1       none

Next reboot the node and check if the reboot halts waiting for passphrase to mount the luks device

How to auto mount LUKS encrypted partition using key at boot in Linux

 

Mount LUKS device using fstab with key (No prompt for passphrase)

LUKS can use up to 8 key slots to store passwords.

Use the below command to check the currently utilised key slots. Here as you see only one key slot is in use.

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

To add a new encrypt key use the below command.

[root@node1 ~]# cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Next verify the key slots again

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             729190
        Salt:                   3b a3 55 c0 5a d6 d0 0f 26 84 84 c4 a7 d1 83 23
                                9c 2d 6d ea 9f 76 83 04 36 8b d4 d6 19 07 ba 10
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

As you see now we have one more key slot added and is enabled.

NOTE:
To remove a key slot you can use "cryptsetup luksRemoveKey /dev/device” where the device or partition will be /dev/sdb1 for our demo.

Now let us create a key file which will be used to get the passphrase while booting the system. So at the reboot stage the system will not halt asking for passphrase and will get the key for the LUKS device from this key file and continue with the boot.

To create a key file execute the below command. Here my key file “lukskey” will be available under /root

[root@node1 ~]# dd if=/dev/random bs=32 count=1 of=/root/lukskey
1+0 records in
1+0 records out
32 bytes (32 B) copied, 0.000294018 s, 109 kB/s

To check the content of the lukskey file use xxd. As you see it is filled with random data.

[root@node1 ~]# xxd /root/lukskey
0000000: cd37 d965 8eb6 e1cd b009 467f 524b bf8e  .7.e......F.RK..
0000010: 5a53 7250 19c0 78b5 6d68 3f9c c8b6 6bf9  ZSrP..x.mh?...k.

Now let us add this key to our LUKS device

[root@node1 ~]# cryptsetup luksAddKey /dev/sdb1 /root/lukskey
Enter any existing passphrase:

Verify the new keyslot. Now we have a new keyslot enabled.

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             729190
        Salt:                   3b a3 55 c0 5a d6 d0 0f 26 84 84 c4 a7 d1 83 23
                                9c 2d 6d ea 9f 76 83 04 36 8b d4 d6 19 07 ba 10
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             683556
        Salt:                   1a 13 aa 01 e1 c2 71 33 29 5f ae fc 25 71 2e c8
                                9f 9f 85 df 4b 80 61 4d 8d 52 35 7c 66 0a d0 af
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Next modify your crypttab and provide the keyfile details to make sure system does not halts asking for passphrase of luks device.

[root@node1 ~]# vim /etc/crypttab
secret  /dev/sdb1       /root/lukskey

Next reboot your node

[root@node1 ~]# reboot

I am sure this time your system should come up automatically without prompting for any passphrase to mount the LUKS encrypted partition.

Post reboot I will validate my mounted file system and I see as expected /secret is already in mounted state

[root@node1 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root   25G  3.8G   20G  16% /
devtmpfs                 1.9G     0  1.9G   0% /dev
tmpfs                    1.9G     0  1.9G   0% /dev/shm
tmpfs                    1.9G  9.2M  1.9G   1% /run
tmpfs                    1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/sda1                488M  134M  319M  30% /boot
/dev/mapper/secret       4.8G   20M  4.6G   1% /secret
tmpfs                    379M  8.0K  379M   1% /run/user/42
tmpfs                    379M     0  379M   0% /run/user/0

 

Lastly I hope the steps from the article to auto mount LUKS encrypted partition using fstab on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

5 Comments

  1. Just wondering why one would go to all the trouble of encrypting their disk data and then make the boot process automatically recover the pass phrase rather than prompting the user for it? Am I overlooking something?

    1. We never know what we get as a requirement. Honestly even I wonder this question but there always should be a solution handy (if/when required) 🙂

      1. It can be used as a solution to unlock a second encrypted hard drive or partition, by storing its keyfile onto the root partition that will be unlocked with password. Otherwise you would have to enter the passphrase for every encrypted drive/partition which is tedious…

        Would there be a way to have BOTH password and keyfile decryption ? for example, to store the keyfile on a USB key which automatically unlocks the drive if present, or asks for LUKS password otherwise ? Maybe if the usb is mounted first, and both a passphrase and keyfile are present in the device keyslots ? I suppose that the crypttab must have the “luks”

Leave a Reply

Your email address will not be published. Required fields are marked *