ItsDrike/dotfiles
1
0
Fork 0
mirror of https://github.com/ItsDrike/dotfiles.git synced 2024-11-14 20:27:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/guides/02_AUTOMOUNTING_ENCRYPTED_PARTITIONS.md

5.6 KiB
Raw Blame History

Auto-mounting other encrypted partitions

If you've set up multiple encrypted partitions (a common reason to do so is having multiple drives), you will likely want to have these other partitions mounted automatically after the root partition, during the boot process.

Tip

You can safely skip this guide if you only have a single encrypted partition (with the root).

/etc/crypttab

Obviously, with encrypted partitions, you can't simply specify the mounting instructions into your /etc/fstab, instead, there is a special file designed precisely for this purpose: /etc/crypttab. Just like with fstab, systemd will read crypttab during boot and attempt to mount the entries inside of it.

From here, you can add entries for mounting your encrypted partitions, like so:

# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>         <device>             <password>       <options>
cryptdata        LABEL=DATA           none             discard

Note

The discard option is specified to enable TRIM on SSDs, which should improve their lifespan. It is not necessary if you're using an HDD.

The <name> option specifies the name of the decrypted mapper device, so in this case, the decrypted device would be in /dev/mapper/cryptdata. We can then add mounting instructions into /etc/fstab, that work with this mapper device.

Specifying a partition in here will result in you being prompted for a decryption password each time during boot. If you only have one encrypted partition like this, and your root partition isn't encrypted, this will be sufficient for you.

Key files

That said, if you have multiple encrypted partitions, or your root partition is encrypted too, you might find it pretty annoying to have to enter a password for each of your encrypted partitions every time.

For this reason, crypttab includes the <password> option, which we originally left as none. We can use this field to specify a path to a "key file". This is basically just a file that holds the encryption password.

Important

Storing the decryption password in a key file like this can only be done safely if that key file is stored on another encrypted partition, which we decrypted in another way (usually by being prompted for the password).

In this example, we'll be storing the key files in /etc/secrets, which is safe as our root partition is encrypted.

LUKS encryption has support for having multiple keys for the same parition. We'll utilize this support and add 2nd key slot to all of the partitions that we wish to auto-mount.

mkdir -p /etc/secrets
dd if=/dev/random bs=4096 count=1 of=/etc/secrets/keyFile-data.bin
chmod -R 400 /etc/secrets
chmod 700 /etc/secrets

The bs argument signifies a block size (in bits), so this will create 4096-bit keys.

Now we can add this key into our LUKS encrypted data partition:

cryptsetup luksAddKey /dev/disk/by-label/DATA --new-keyfile /etc/secrets/keyFile-data.bin

Finally, we'll modify the /etc/crypttab record and add our new keyfile as the password for this partition:

# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>         <device>       <password>                       <options>
cryptdata        LABEL=DATA     /etc/secrets/keyFile-data.bin    discard

/etc/fstab

While the crypttab file opens the encrypted block devices and creates the mapper interfaces for them, to mount those to a concrete directory, we still use /etc/fstab. Below is the /etc/fstab that I use on my system:

# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>

# region: Physical partitions

# /dev/nvme0n1p2 LABEL=SWAP UUID=d262a2e5-a1a3-42b1-ac83-18639f5e8f3d
/dev/disk/by-label/SWAP 	none          	swap      	defaults  	0 0

# /dev/nvme0n1p1 LABEL=EFI  UUID=44E8-EB26
/dev/disk/by-label/EFI  	/efi          	vfat      	rw,relatime,fmask=0137,dmask=0027,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 	0 2

# endregion
# region: BTRFS subvolumes on /dev/disk/by-label/ARCH (decrypted from ARCH_LUKS)

# /dev/mapper/cryptfs LABEL=ARCH UUID=bffc7a62-0c7e-4aa9-b10e-fd68bac477e0
/dev/mapper/cryptfs	/         	btrfs     	rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@         	0 1
/dev/mapper/cryptfs	/home     	btrfs     	rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@home     	0 1
/dev/mapper/cryptfs	/var/log  	btrfs     	rw,noatime,compress=zstd:2,ssd,space_cache=v2,subvol=/@log      	0 1
/dev/mapper/cryptfs	/var/cache	btrfs     	rw,noatime,compress=zstd:3,ssd,space_cache=v2,subvol=/@cache    	0 1
/dev/mapper/cryptfs	/tmp      	btrfs     	rw,noatime,compress=no,ssd,space_cache=v2,subvol=/@tmp          	0 1
/dev/mapper/cryptfs	/data     	btrfs     	rw,noatime,compress=zstd:5,ssd,space_cache=v2,subvol=/@data     	0 2
/dev/mapper/cryptfs	/.btrfs   	btrfs     	rw,noatime,ssd,space_cache=v2                                   	0 2 # btrfs root

# endregion
# region: Bind mounts

# Write kernel images to /efi/arch, not directly to efi system partition (esp), to avoid conflicts when dual booting
/efi/arch-1 	    /boot     	none      	rw,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro,bind 	0 0

# endregion