Roland Mas: Automounting a LUKS-encrypted USB key
You have a computer. You're afraid of it being stolen by baddies or
raided by the police, so you've encrypted its hard disk with LUKS.
You also want to carry around some of your crypto keys (SSH and/or
GPG), or any kind of sensitive data, on an USB key, so you can restore
a normal activity in case the computer gets stolen or becomes
untrustworthy. You like things that Just Work, including automounting
with
autofs
(no GUI popups, no need to manually unmount and so on).
But of course, you can't very well just mount the drive and store your
keys on it in the clear. Well, actually you can (I did it for way too
long), but let's assume you want to do without. Because USB keys get
stolen or lost, too.
autofs
just handles the mounting of the drives, not their unlocking,
and there's no hook in there specifically for LUKS. There is,
however, a more generic way of running arbitrary commands on mounting:
the program maps. It's all described in the documentation, so I'll
just paste the relevant parts of my /etc/auto.removable
, with a few
comments. Remember to make it executable and reference it in
/etc/auto.master
.
The astute reader will have noticed that the keys volume is mounted either read-only or read-write with the same mechanism. This volume contains SSH keys that I use quite regularly, that filesystem is going to be mounted and unmounted very often. USB keys, and flash memory in general, don't really like repeated writes. Fortunately, the SSH keys are mostly read, and very rarely written to, so I can afford to mount the partition read-only and save the write cycles for when I generate new keys (the mere action of mounting a partition read-write changes it, even if the files in it are never modified). The backups volume is mostly accessed in write mode, and much less frequently anyway, so there's no need for a distinction there. This supposes that the partitions on the USB key appear as#! /bin/sh volume=$1 autoluks () dev=/dev/$1 cryptname=$ 1 _crypt cryptdev=/dev/mapper/$cryptname keyfile=/etc/private/$cryptname.key options=$2 [ ! -e $dev ] && exit 0 if [ -b $cryptdev ] && ! cryptsetup status $cryptname grep -q device:.*$dev ; then cryptsetup remove $cryptname logger fi cryptsetup --key-file $keyfile luksOpen $dev $cryptname logger [ -b $cryptdev ] && echo $options :$cryptdev true case "$volume" in # LUKS-encrypted volumes lacie-keys) autoluks lacie-keys -fstype=ext4,ro,noatime,nodev,noexec,nosuid ;; lacie-keys-rw) autoluks lacie-keys -fstype=ext4 ;; lacie-backups) autoluks lacie-backups -fstype=ext4 ;; # Non-encrypted volumes cd) echo -fstype=iso9660,ro,nodev,nosuid :/dev/cdrom ;; floppy) echo -fstype=auto,sync,nodev,nosuid :/dev/fd0 ;; esac
/dev/lacie-keys
and /dev/lacie-backups
. Due to the dynamic naming
of devices, you may like to use rules similar to the following in
/etc/udev/rules.d/local
.
You'll also need to initialize LUKS on the partitions, save the key, make the filesystems, and so on. If you're still with me, you probably know what I'm talking about, then I don't need to explain about that. This setup works for me, but there's no guarantee and so on. Based on a tutorial found on the Debian Administration website (great resource, by the way). Update: I'm told a large part of the script could be replaced withKERNEL=="sd[a-z]1", ATTRS idProduct =="1027", ATTRS idVendor =="059f", ATTRS manufacturer =="LaCie", ATTRS product =="LaCie iamaKey", SYMLINK+="lacie-keys" KERNEL=="sd[a-z]2", ATTRS idProduct =="1027", ATTRS idVendor =="059f", ATTRS manufacturer =="LaCie", ATTRS product =="LaCie iamaKey", SYMLINK+="lacie-backups"
pmount
. If you like short scripts, you may want to investigate that
too.
Update 2: Josselin points out
a different solution using
Gnome, udisks
, gnome-disk-utility
and Nautilus. It's worth
checking out, for those who like to run all that and click around. I
can't test it right now (Gnome/Nautilus currently refuses to mount any
USB key, for some presumably transitional reason), but I have no
reason to believe it's inherently broken. I just don't like having to
do anything when I plug my key or before I unplug it, and I'm not
always running a graphical session with a desktop.