Creating and mounting a LUKS encrypted disk (Shallow Thoughts)

Akkana's Musings on Open Source, Science, and Nature.

Tue, 05 Oct 2010

Creating and mounting a LUKS encrypted disk

I've previously written about how to use 'cryptoloop' encryption on a flash drive or SD card. An encrypted SD card or USB stick is very handy when you have personal files you want to take with you between several different machines.

But modern Gnome systems can't read cryptoloop. Or, rather, they can, but you have to fiddle with them as root -- they won't recognize and mount the filesystem automatically.

It turns out that's because the "new way", instead of cryptoloop, is to use a system called LUKS. But it has a few pitfalls, and there's no documentation about how to use it on a system that doesn't recognize it automatically. So here's some.

Creating a LUKS filesystem

The easiest way is to use a program called palimpsest, available on Ubuntu in the gnome-disk-utility package. Run palimpsest with no arguments; click on the appropriate storage device, then click the obvious buttons to create partitions, label and format them. Click on the box to encrypt the partition, type your password, then sit back and wait while it creates the partition.

The label you give the partition is important: it will be used later to mount it.

All straightforward, right? Except for the one part that isn't: there's a button for safely removing the device after the busy cursor has stopped, and it never works. It always says the device is busy. Running a sync from a terminal doesn't work; waiting ten minutes doesn't help. So just shrug, quit palimpsest and eject the device. If you're lucky it created everything okay.

Mounting a LUKS filesystem from Gnome

In theory, you should be able to plug in the device and after a few seconds Gnome will prompt for your password. If it doesn't, which sometimes happens, maybe you killed palimpsest too early; try again and wait longer this time. If it still doesn't work, maybe the commandline will.

Mounting a LUKS filesystem from the commandline

Assuming you used the partition label "secret" when you created the LUKS encrypted partition, the physical partition is on /dev/sdb2, and you want to mount it on /media/secret (which already exists), these two commands (as root) will mount it:

sudo cryptsetup luksOpen /dev/sdb2 secret
  (prompts for sudo password)
  (prompts for LUKS password)
sudo mount /dev/mapper/secret /media/secret

Easy -- yet a bit frustrating. There seems to be no way to do this purely through /etc/fstab, so you have to remember the cryptsetup command, or write an alias or script to do the two steps for you. And you always have to type your sudo password as well as the password for the filesystem, whereas with cryptoloop you only needed the filesystem's password.

In the end, I'm not convinced LUKS is a win. But since it's so hard to manage cryptoloop filesystems from a Gnome desktop, it's probably worth hassling with LUKS if you need to be able to interoperate with Gnome.

Update: I wrote that yesterday. Today, maybe three weeks after I started using the card on a fairly regular basis to transfer personal files between home and laptop, I had a filesystem failure: I wrote to the card from the desktop, synced, unmounted, put it in the laptop -- and got I/O errors and "You must specify filesystem type" trying to mount it. I was able to fsck, and it apparently restored from an old journal -- including old data.

No loss here, because the card is just a copy of what was on the desktop machine. But the lesson here is: these encrypted cards are great for emergency backups. But you probably don't want to rely on one as your main storage for anything important.

Tags: , ,
[ 12:57 Oct 05, 2010    More linux | permalink to this entry ]