Automatic disk encryption at terminal startup → Auto mount / Linux

Introduction

--When the terminal is restarted, the encryption / mounting with LUKS will be released, so after starting the terminal, I will write about how to automatically encrypt → mount. --Environment is implemented with "CentOS 7". --See below for LUKS encryption. ⇒ Encrypt disk using cryptsetup command

1. 1. Key file creation / registration

--In the past, passwords were used for authentication, but for automation, key files can be used for authentication.

Creating a keyfile

dd bs=512 count=4 if=/dev/urandom of=/etc/mykeyfile

Grant 600 permissions to keyfile (read / write by owner only)

chmod 600 /etc/mykeyfile

Keyfile registration

cryptsetup luksAddKey /dev/sde /etc/mykeyfile

Enter any existing passphrase:  <-Enter an existing passphrase

Confirm keyfile registration

cryptsetup luksDump /dev/sde

LUKS header information for /dev/sde

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: ###
MK bits:        2##
MK digest:      ##################
MK salt:        ##################
                ##################
MK iterations:  ##################
UUID:           ##################

Key Slot 0: ENABLED
        Iterations:             ##################
        Salt:                   ##################
                                ##################
        Key material offset:    ##################
        AF stripes:             ##################
Key Slot 1: ENABLED
        Iterations:             ##################
        Salt:                   ##################
                                ##################
        Key material offset:    ##################
        AF stripes:             ##################
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

2. Confirmation of encryption by key file

--If it is already encrypted / mounted, unlock the current mount / encrypted device and check that the key file encryption and mounting can be completed.

# Encryption with keyfile
cryptsetup luksOpen /dev/sde hogehoge --key-file /etc/mykeyfile
# mount
mount /dev/mapper/hogehoge /mnt/hogehoge/

3. 3. Registration to crypttab

--By writing the settings in crpttab, you can connect to LUKS and encrypt when the OS starts, so set as follows.

vi /etc/crypttab

# Add the following
 {target name} {source device} {key file} luks, {options}
# timeout = 5 ・ ・ ・ If you leave it for 5 seconds without entering the password, ignore it and continue

hogehoge /dev/sde /etc/mykeyfile luks,timeout=5

4. Add device mount process to rc.local (grant authority)

--rc.local is a shell script that is executed at the end of the startup process, and the mounting process is described here so that it mounts at the end of startup.

vi /etc/rc.local

# Add the following
# The mount command that I used to do manually
mount /dev/mapper/hogehoge /mnt/hogehoge/

Authorization

chmod 755 /etc/rc.d/rc.local

Recommended Posts

Automatic disk encryption at terminal startup → Auto mount / Linux