I want to access a LUKS encrypted data partition after login, ideally without typing a password, obviously in a secure way.
My home directory is also encrypted with LUKS.
I found this tutorial: https://ubuntuforums.org/showthread.php?t=837416.
It feels completely un-safe to me as anyone booting a live cd can access the root
directory, thus the key, thus de-crypt the data of the other partition.
Here is what I have done so far,
Create a new key:
sudo dd if=/dev/urandom of=$HOME/.data_crypt_keyfile bs=1024 count=4
Make it read-only to root:
sudo chmod 0400 $HOME/.data_crypt_keyfile
Add this new key to the LUKS key slots:
sudo cryptsetup luksAddKey /dev/sdc1 $HOME/.data_crypt_keyfile
How do I automatically open this partition after login, and close it when logging-out?
Best Answer
If your home folder itself is encrypted by LUKS, there should be no way for the key to be read without the home folder being decrypted (which only happens when you're logged in).
As long as the keyfile is actually read from your user directory (
/home/<whatever>
) and not/root
, you should be okay.As for auto-mount on login, you can use a simple script in your Startup Applications list (run after login succeeds, so it will work as long as you're mounting this drive to userspace). For logout, you can set it up to unmount when you kill your X session.
In short, you would do the following:
session-cleanup-script
in/etc/lightdm/lightdm.conf
. This will run whenever any session is killed, so this may not be the best option.Caveats