Goal: Mount an encrypted partition on a secondary disk to /home.
I needed more space for user files on my Linux desktop running on an SSD, so I wanted to use a second rotating disk to store user files. I also wanted to encrypt this disk.
- Create the encrypted partition and filesystem on the new rotating disk
- Configure the system to unlock the encrypted partition during boot
- Mount the partition to /home
We want to create an encrypted partitioin on the rotating disk. This command helps to make sure we're picking the right disk. The ROTA field specifies if the device is a rotating disk.
$ lsblk -o NAME,UUID,TYPE,ROTA,FSTYPE,MOUNTPOINT
Let's say sdb is the SSD where the OS is installed, and sda is the rotating disk that we want to use.
Create a new partition
Create a partition table and a partition. If there is already a partition available on the disk to use for this setup, we can skip this step.
I'm assuming it's a brand new disk, and we're going to create only one partition using fdisk. Other partitioning schemes and tools may be used.
Creating a new partition table on a disk with existing data, will erase all the data. If there is existing data or partitions on the disk, make sure to backup the data or follow a more specific guide to create the target partition.
$ sudo fdisk /dev/sda # sda is the new rotating disk # on the fdisk interactive prompt: # to create a new partition table, press "o" # to create new primary partition press "n" and then "p" # we're using the whole disk for this partition so the default size is fine # to write changes to disk, press "w"
Now /dev/sda1 is our target partition.
Setup the encrypted device
We're setting up dm-crypt encrypted partition in LUKS mode. First we need to make sure proper packages are installed and dm_crypt kernel module is loaded.
$ sudo apt-get install cryptsetup $ lsmod | grep dm_crypt $ # if dm_crypt was not loaded, load the module $ sudo modprobe dm_crypt
Create encrypted block device
We'll use cryptsetup tool to setup dm-crypt managed mappings. I'm going to use default parameters, but other parameters may be used to customize the encryption setup (cipher, key size, etc.).
$ sudo cryptsetup -v luksFromat /dev/sda1 $ # enter the encryption passphrase
The encryption passphrase will be requried to access the data. If the passphrase is forgotten, it won't be possible to access the files on this partition, nor the metadata.
Now /dev/sda1 is an encrypted block device. Let's see the LUKS headers:
$ sudo cryptsetup luksDump /dev/sda1
Create the filesystem
The encrypted device should be unlocked to be accessed. Device mapper provides a new device which is mapped to the LUKS encrypted device. I'm going to name the mapped device sda1_crypt but it can be any valid name.
$ sudo cryptsetup luksOpen /dev/sda1 sda1_crypt $ # or using a recent version of cryptesetup: # sudo cryptsetup open --type luks /dev/sda1 sda1_crypt
We'll be prompted for the encryption passphrase. A new block device is created in /dev/mapper named sda1_crypt with a new UUID. This is a block device and the rest of the operations (creating a filesystem, mounting) should use this device instead of directly working on /dev/sda1. Later we'll mount this device to /home.
No we can format the unlocked device with the desired filesystem. I'm using ext4 here, but any filesystem or formatting tool may be used.
$ sudo mkfs.ext4 /dev/mapper/sda1_crypt
Let's see our block device setup by far on this disk
$ lsblk -o NAME,UUID,TYPE,FSTYPE,MOUNTPOINT /dev/sda NAME UUID TYPE FSTYPE MOUNTPOINT sda disk └─sda1 93d58349-5972-4f41-b384-a4b4c6e3ce2a part crypto_LUKS └─sda1_crypt 3e52fa81-5aa4-4f7e-9008-013c60961d9a crypt ext4
This shows we have an encrypted partition sda1 (UUID 93d58349...), and and it's mapped to sda1_crypt (UUID 3e52fa81...).
Copy existing files
Our encrypted partition setup is ready to use. We can now mount this partition to move any existing files in /home there if any. If there is no need to copy the files, we may skip this section.
$ sudo mkdir /mnt/encrypted_disk $ sudo mount -t ext4 /dev/mapper/sda1_crypt /mnt/encrypted_disk
I'm using cp -a to copy the files since it's a local copy and cp is simply available. Any other tool may be used.
$ sudo cp -axT /home/ /mnt/encrypted_disk/
Make sure all the files are copied, specially hidden dot files. You may also want to remove existing files from /home since they are not stored encrypted.
When we're done copying files, we can unmount the partition and remove the temporary mount point.
$ sudo umount /mnt/encrypted_disk $ sudo rmdir /mnt/encrypted_disk
Unlock and mount on boot
To configure the system to unlock the device during boot, we can use /etc/cryptab. This file is like fstab but is read before fstab to unlock encrypted devices before they are mounted.
Add the encrypted partition device (sda1) UUID, and the mapped device name to /etc/crypttab.
# <target name> <source device> <key file> <options> # decrypt sda1 so it can be accessed from /dev/mapper/sda1_crypt sda1_crypt UUID=93d58349-5972-4f41-b384-a4b4c6e3ce2a none luks,timeout=180
The commented line should be descriptive enough. The timeout option causes the passphrase prompt to timeout after the specified number of seconds.
Add the unlocked LUKS device (sda1_crypt) UUID, and the mount point to /etc/fstab.
UUID=3e52fa81-5aa4-4f7e-9008-013c60961d9a /home ext4 defaults 0 0