Mount LUKS encrypted hard drive at boot
I have Xubuntu 14.04 on a SSD device (the HOME was encrypted correctly during intallation), additionally I have a HDD with a encrypted partition with extra data which I would like to mount in /mnt/hdd. For making these I followed the next steps:
(Previously I had encrypted the disk with LUKS following this post http://www.marclewis.com/2011/04/02/luks-encrypted-disks-under-ubuntu-1010/)
Check the UUID
sudo blkid
/dev/sda1: UUID="b3024cc1-93d1-439f-80ce-1b1ceeafda1e" TYPE="crypto_LUKS"
Make a keyfile with the right passphrase and save it in my HOME (which is also encrypted).
sudo dd if=/dev/urandom of=/home/[USERNAME]/.keyfiles/key_luks bs=1024 count=4
sudo chmod 0400 .keyfiles/key_luks
Add the key
sudo cryptsetup luksAddKey /dev/sda1 /home/zeugor/.keyfiles/key_luks
New entry in /etc/crypttab
hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e /home/[USERNAME]/.keyfiles/key_luks luks
Update the initial ramdisk
sudo update-initramfs -u -k all
Then, to test it, I used the follow command to start cryptdisks:
sudo cryptdisks_start hddencrypted
* Starting crypto disk...
* hddencrypted (starting)..
* hddencrypted (started)...
To check hddencrypted was mapped:
ls /dev/mapper/
control hddencrypted
Create a mount point
mkdir /mnt/hdd
New entry in /etc/fstab
/dev/mapper/hddencrypted /mnt/hdd ext4 defaults 0 2
Validate fstab without reboot:
sudo mount -a
Mount the encrypted partition on boot
Now I have mount it in/mnt/hdd as I proposed. But I wold like to make this automatically after reboot. But before I can log in, I get this error:
the disk drive for /mnt/hdd is not ready yet or not permit
All this makes me think that /etc/crypttab can't access to the keyfile which is located in my HOME (other encrypted partition). I don't know the order which the system follows to unencrypted and mounts the units. My HOME should be unencrypted before my HDD for giving access to read the keyfile.
I would appreciate any insight as to why this happens.
UPDATE: If I locate the keyfile in /boot (no encrypted), instead of in my /home/[USERNAME] (encrypted) the /dev/sda1 and update the entry in /etc/crypttab is perfectly mounted on boot time.
Solution 1:
A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.
To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to
hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks
and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.
Solution 2:
Does it work if you replace "defaults" in fstab with
rw,suid,dev,exec,auto,user,async,relatime
(According to the mount man page, it's the same as "defaults" except for "user".)
Solution 3:
Make sure the hddencrypted partition is listed after the home partition, in both /etc/fstab and /etc/crypttab. As the crypttab (5) manpage states:
The order of records in crypttab is important because the init scripts sequentially iterate through crypttab doing their thing.
Also you could try adding the noearly option to the latter partition in /etc/crypttab:
hddencrypted UUID=<...> /home/[USERNAME]/.keyfiles/key_luks luks,noearly
In a normal situation, you could indicate that the home partition must be mounted first by adding it to CRYPTDISKS_MOUNT in /etc/default/cryptdisks, but since it is itself encrypted, I have a feeling that would not be a good idea.