This article refers to creating a LUKS encrypted backup drive for Ubuntu 16.04 Xenial Xerus - but the steps are likely very similar for any modern Linux distro.
The exisiting main boot drive is encrypted. The main user’s home drive is also encrypted. The aim is to have a partition on an additional (internal) hard drive which is LUKS encrypted and automatically unlocked on boot. If the disk is removed, it should require a keyfile for decryption. The purpose of this is to locally backup up sensitive data automatically.
This will ensure that data remains secure - it will be encrypted at rest, and only accessible after booting the OS on the encrypted boot drive - data will be protected by the keyfile, which in turn is inaccessible until the main OS boots, which in turn recquires the encryption passphrase.
Encrypt the Partition
Encrypt the partition using the Gnome Disk utility:
- Select and unmount the partion
- Format partition - select “Encrypted, compatible with Linux systems(LUKS _ Ext4)” in the “Type” dropdown
- Enter a passphrase when prompted save this passphrase: it can be used to unlock the partition in the event of disaster recovery
Whilst in the Disks utility, you can also mount the partition.
Note the device name for the partition (e.g.
Create a Keyfile in the Root User Home Directory
Make a keyfile in the
root user home directory:
Add Keyfile to LUKS
LUKS/dm_crypt enabled devices may hold up to 10 different keyfiles/passwords.
In addition to having the already setup password, we’re going to add this keyfile as additional authorization method:
Determine the UUID of the Partition
Create a Mapper
Create a mapper in
crypttab that references the keyfile:
Mount on Boot
To mount the partition on boot:
- Create a mount point
- Add a command to
Reboot to check it works.
Open without Keyfile
- Decrypt the volume using the original passphrase
Decrypt the volume:
comments powered by Disqus