Context

This article refers to creating a LUKS encrypted backup drive for Ubuntu 16.04 Xenial Xerus - but the steps are likely very similar for any modern Linux distro.

The exisiting main boot drive is encrypted. The main user’s home drive is also encrypted. The aim is to have a partition on an additional (internal) hard drive which is LUKS encrypted and automatically unlocked on boot. If the disk is removed, it should require a keyfile for decryption. The purpose of this is to locally backup up sensitive data automatically.

This will ensure that data remains secure - it will be encrypted at rest, and only accessible after booting the OS on the encrypted boot drive - data will be protected by the keyfile, which in turn is inaccessible until the main OS boots, which in turn recquires the encryption passphrase.

Encrypt the Partition

Encrypt the partition using the Gnome Disk utility:

• Select and unmount the partion
• Format partition - select “Encrypted, compatible with Linux systems(LUKS _ Ext4)” in the “Type” dropdown
• Enter a passphrase when prompted save this passphrase: it can be used to unlock the partition in the event of disaster recovery

Whilst in the Disks utility, you can also mount the partition.

Note the device name for the partition (e.g. /dev/sdb*).

Create a Keyfile in the Root User Home Directory

Make a keyfile in the root user home directory:

sudo mkdir /root/.keyfiles
sudo dd if=/dev/urandom of=/root/.keyfiles/hdd-1.key bs=1024 count=4
# Make this read-only by owner (in this case, root):
sudo chmod 0400 /root/.keyfiles/hdd-1.key

Add Keyfile to LUKS

LUKS/dm_crypt enabled devices may hold up to 10 different keyfiles/passwords.

In addition to having the already setup password, we’re going to add this keyfile as additional authorization method:

# Replace 'sdX' with the correct device designation
sudo cryptsetup luksAddKey /dev/sdb2 /root/.keyfiles/hdd-1.key

Determine the UUID of the Partition

ls -l /dev/disk/by-uuid/
total 0
lrwxrwxrwx 1 root root 10 Oct 15 10:23 00d75d72-84b0-418f-7dda-2d42002fe045 -> ../../sdX
...

Create a Mapper

Create a mapper in crypttab that references the keyfile:

# /etc/crypttab
# Append this line - add the relevant UUID - first value is the identifier for this mapping
sdX_crypt UUID=00d75d72-84b0-418f-7dda-2d42002fe045 /root/.keyfiles/hdd-1.key luks,discard

Mount on Boot

To mount the partition on boot:

1. Create a mount point
2. Add a command to /etc/fstab

# Create a mount point:
sudo mkdir /media/secure-hdd

# Edit /etc/fstab:
sudo nano /etc/fstab

# /etc/fstab
# Append this line:
/dev/mapper/sdX_crypt /media/secure-hdd ext4 defaults 0 2

Reboot to check it works.

Open without Keyfile

• Install cryptsetup
• Decrypt the volume using the original passphrase
• Mount

Install cryptsetup:

sudo apt install cryptsetup

Decrypt the volume:

sudo cryptsetup luksOpen /dev/sdX sdX_crypt
# Enter passphrase when prompted

Mount:

sudo mkdir /media/secure-hdd-recovered
sudo mount /dev/mapper/sdX_crypt /media/secure-hdd-recovered

Resources

• Guide from 2008, but largely still relevant
• https://askubuntu.com/questions/450895/mount-luks-encrypted-hard-drive-at-boot#541352
• Mount a LUKS encrypted drive