Creating and mounting a LUKS encrypted disk
I've previously written about how to use 'cryptoloop' encryption on a flash drive or SD card. An encrypted SD card or USB stick is very handy when you have personal files you want to take with you between several different machines.But modern Gnome systems can't read cryptoloop. Or, rather, they can, but you have to fiddle with them as root -- they won't recognize and mount the filesystem automatically.
It turns out that's because the "new way", instead of cryptoloop, is to use a system called LUKS. But it has a few pitfalls, and there's no documentation about how to use it on a system that doesn't recognize it automatically. So here's some.
Creating a LUKS filesystem
(Updated December 2023)Palimpsest, described below, no longer seems to exist. But it's just as easy to set up a LUKS filesystem with cryptsetup.
I'm using "SECRET" as the disk label; this is a name you'll use to mount the disk later. Of course, all these commands require root.
cryptsetup -v luksFormat --label SECRET /dev/TARGET_DISK_PARTITIONRead more about luksFormat options in
man cryptsetup-luksFormat
.
Update: This used to be enough to make the device available in /dev/mapper,
but in 2024, you have to open it explicitly:
sudo cryptsetup luksOpen /dev/PARTITION SECRET
Now your new encrypted device is available on /dev/mapper/SECRET. Next, create a filesystem on the encrypted device:
mkfs.ext4 /dev/mapper/SECRET
Finally, make sure you can mount it:
mount /dev/mapper/SECRET /mnt(or wherever you prefer to mount it).
This next part, written in 2010, is now obsolete:
The easiest way is to use a program called palimpsest, available on Ubuntu in the gnome-disk-utility package. Run palimpsest with no arguments; click on the appropriate storage device, then click the obvious buttons to create partitions, label and format them. Click on the box to encrypt the partition, type your password, then sit back and wait while it creates the partition.
The label you give the partition is important: it will be used later to mount it.
All straightforward, right? Except for the one part that isn't: there's a button for safely removing the device after the busy cursor has stopped, and it never works. It always says the device is busy. Running a sync from a terminal doesn't work; waiting ten minutes doesn't help. So just shrug, quit palimpsest and eject the device. If you're lucky it created everything okay.
Mounting a LUKS filesystem from Gnome or Another Desktop
In theory, you should be able to plug in the device and after a few seconds you'll be prompted for your password. If it doesn't, which sometimes happens, try again, wait longer this time and cross your fingers. If it still doesn't mount, try the command-line version in the next section. Even if it doesn't work, you might get a useful error message.
Mounting a LUKS filesystem from the commandline
Assuming you used the partition label "SECRET" when you created the LUKS encrypted partition, the physical partition is on /dev/sdb2, and you want to mount it on /media/SECRET (which already exists), these two commands (as root) will mount it:
sudo cryptsetup luksOpen /dev/sdb2 SECRET (prompts for sudo password) (prompts for LUKS password) sudo mount /dev/mapper/SECRET /media/SECRET
Easy -- yet a bit frustrating. There seems to be no way to do this purely through /etc/fstab, so you have to remember the cryptsetup command, or write an alias or script to do the two steps for you. And you always have to type your sudo password as well as the password for the filesystem, whereas with cryptoloop you only needed the filesystem's password.
In the end, I'm not convinced LUKS is a win. But since it's so hard to manage cryptoloop filesystems from a Gnome desktop, it's probably worth hassling with LUKS if you need to be able to interoperate with Gnome.
Update: I wrote that yesterday. Today, maybe three weeks after I started using the card on a fairly regular basis to transfer personal files between home and laptop, I had a filesystem failure: I wrote to the card from the desktop, synced, unmounted, put it in the laptop -- and got I/O errors and "You must specify filesystem type" trying to mount it. I was able to fsck, and it apparently restored from an old journal -- including old data.
No loss here, because the card is just a copy of what was on the desktop machine. But the lesson here is: these encrypted cards are great for emergency backups. But you probably don't want to rely on one as your main storage for anything important.
[ 13:57 Oct 05, 2010 More linux | permalink to this entry | ]