Ubuntu – How to securely mount LUKS partition at login

16.04encryptionluks

I want to access a LUKS encrypted data partition after login, ideally without typing a password, obviously in a secure way.

My home directory is also encrypted with LUKS.

I found this tutorial: https://ubuntuforums.org/showthread.php?t=837416.

It feels completely un-safe to me as anyone booting a live cd can access the root directory, thus the key, thus de-crypt the data of the other partition.

Here is what I have done so far,

Create a new key:

sudo dd if=/dev/urandom of=$HOME/.data_crypt_keyfile bs=1024 count=4

Make it read-only to root:

sudo chmod 0400 $HOME/.data_crypt_keyfile

Add this new key to the LUKS key slots:

sudo cryptsetup luksAddKey /dev/sdc1 $HOME/.data_crypt_keyfile

How do I automatically open this partition after login, and close it when logging-out?

Best Answer

If your home folder itself is encrypted by LUKS, there should be no way for the key to be read without the home folder being decrypted (which only happens when you're logged in).

As long as the keyfile is actually read from your user directory (/home/<whatever>) and not /root, you should be okay.

As for auto-mount on login, you can use a simple script in your Startup Applications list (run after login succeeds, so it will work as long as you're mounting this drive to userspace). For logout, you can set it up to unmount when you kill your X session.

In short, you would do the following:

Create a small script that will unmount the encrypted drive from wherever it's mounted
Add this to session-cleanup-script in /etc/lightdm/lightdm.conf. This will run whenever any session is killed, so this may not be the best option.

Caveats

As mentioned before, the auto-logout script runs when any X session is terminated, so it's likely that your drive may be accidentally unmounted when another user logs out of your concurrent session. However, this won't be an issue if you're an only user who keeps only a single X session running.
Similarly, you NEED to keep an X session open, even in a TTY, unless you want to manually mount/unmount the device.

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.

To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to

hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks

and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.

LUKS – Keyscript Ignored, Asking for Password on Boot

Try the option "initramfs" in your /etc/crypttab (according to https://unix.stackexchange.com/a/447676/356711). Your /etc/crypttab would then look like this:

# UUID is not required here since the path to the LV won't change
secure      /dev/vg0/secure       none      luks,keyscript=/lib/cryptsetup/scripts/insecure,initramfs

Please note that it might be a problem that your root fs is in an LVM container. This issue is also mentioned in the article linked above: "But this currently only works (reliably) if the root device is not in an LVM." Fortunately, it seems that a workaround is provided.

My system looks like this:

$ lsblk
NAME                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                             8:0    0 931.5G  0 disk
└─sda1                          8:1    0 931.5G  0 part
  └─md1                         9:1    0 931.4G  0 raid1
    └─md1_crypt               253:3    0 931.4G  0 crypt
      └─raid_crypt_vg-data_lv 253:4    0 931.4G  0 lvm   /raid
sdb                             8:16   0 931.5G  0 disk
└─sdb1                          8:17   0 931.5G  0 part
  └─md1                         9:1    0 931.4G  0 raid1
    └─md1_crypt               253:3    0 931.4G  0 crypt
      └─raid_crypt_vg-data_lv 253:4    0 931.4G  0 lvm   /raid
sdc                             8:32   0 465.8G  0 disk
├─sdc1                          8:33   0   953M  0 part  /boot
└─sdc2                          8:34   0 464.8G  0 part
  └─sdc2_crypt                253:0    0 464.8G  0 crypt
    ├─system_crypt_vg-data_lv 253:1    0   447G  0 lvm   /
    └─system_crypt_vg-swap_lv 253:2    0  17.8G  0 lvm   [SWAP]

... and the following /etc/crypttab does the decryption magic with a keyscript (!) in Ubuntu 18.04.2 LTS:

$ cat /etc/crypttab
# <target name> <source device>                           <key file> <options>
sdc2_crypt      UUID=[...]                                none       luks,discard,keyscript=/etc/decryptkeydevice/decryptkeydevice_keyscript.sh
md1_crypt       /dev/md1                                  none       luks,discard,keyscript=/etc/decryptkeydevice/decryptkeydevice_keyscript.sh,initramfs

Note that the decryption of sdc2_crypt with the provided keyscript works without the initramfs option (because it contains the root fs and is thus "automatically" considered in the initramfs boot phase). md1_crypt was only decrypted already during the initramfs boot phase (and thus with the keyscript according to the crypttab entry) after I added the initramfs option. The later decryption of md1_crypt during the systemd boot phase does not work with a keyscript given in crypttab because the "systemd cryptsetup" does not support the option keyscript, see https://github.com/systemd/systemd/pull/3007.

Best Answer

Caveats

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

LUKS – Keyscript Ignored, Asking for Password on Boot

Related Question