Set Label on dm-crypt+LUKS Container – How to Guide

cryptsetupdm-cryptgnomelukspartition

I just received a new USB flash drive, and set up 2 encrypted partitions on it. I used dm-crypt (LUKS mode) through cryptsetup. With an additional non-encrypted partition, the drive has the following structure:

/dev/sdb1, encrypted, hiding an ext4 filesystem labelled "Partition 1".
/dev/sdb2, encrypted, hiding another ext4 filesystem, labelled "Partition 2".
/dev/sdb3, clear, visible ext4 filesystem labelled "Partition 3".

Because the labels are attached to the ext4 filesystems, the first two remain completely invisible as long as the partitions haven't been decrypted. This means that, in the meantime, the LUKS containers have no labels. This is particularly annoying when using GNOME (automount), in which case the partitions appear as "x GB Encrypted" and "y GB Encrypted" until I decide to unlock them.

This isn't really a blocking problem, but it's quite annoying, since I really like my labels and would love to see them appear even when my partitions are still encrypted.

Therefore, is there a way to attach labels to dm-crypt+LUKS containers, just like we attach labels to ext4 filesystems? Does the dm-crypt+LUKS header have some room for that, and if so, how may I set a label?

Note that I don't want to expose my ext4 labels before decryption, that would be silly. I'd like to add other labels to the containers, which could appear while the ext4 labels are hidden.

Best Answer

I think the solution is to write udev rules like this.

KERNEL=="sd*", ENV{ID_FS_UUID}=="your-sdb1-uuid", ENV{ID_FS_LABEL}="Partition_1", ENV{ID_FS_LABEL_ENC}="Partition_1"
KERNEL=="sd*", ENV{ID_FS_UUID}=="your-sdb2-uuid", ENV{ID_FS_LABEL}="Partition_2", ENV{ID_FS_LABEL_ENC}="Partition_2"

Purpose of the `cryptsetup resize` command

what should I choose for $SECTORS? Is this step even necessary?

This step is necessary, otherwise the partition would still show up at the old side. This is confirmed with Nautilus, even after resizing with resize2fs, the LUKS partition showed up as the old size. After running cryptsetup resize, the correct number is shown. This step is not necessary. It only affects the current size status as shown in the file browser. After changing the size and closing/opening the partition again, the number is restored. So, when closing the LUKS partition as shown later will make this obsolete.

$SECTORS can be determined by looking at the output of cryptsetup status ExistingExt4:

    /dev/mapper/ExistingExt4 is active.
      type:    LUKS1
      cipher:  aes-cbc-essiv:sha256
      keysize: 256 bits
      device:  /dev/sda2
      sector size:  512
      offset:  2056 sectors
      size:    156049348 sectors
      mode:    read/write

(As of cryptsetup 2.0.0 (December 2017), the sector size may be larger than 512 bytes: see the cryptsetup(8) manpage and the --sector-size option.)

Thus, to subtract 15 GiB, use a sector size of 156049348 - 15 * 1024 * 1024 * 2 = 124592068:

cryptsetup resize ExistingExt4 -b 124592068

Resizing the partition with `parted`

As for resizing the partition, parted works fine with GPT partitions. The resize command does not work however, as a workaround (or solution), remove the partition information and create a new partition as inspired by http://ubuntuforums.org/showthread.php?p=8721017#post8721017:

# cryptsetup luksClose ExistingExt4
# parted /dev/sda2
GNU Parted 2.3
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  156301438s  156051404s               Everything

As 15 GiB has to be shaved off, the new end becomes 156301438 - 15 * 1024 * 1024 * 2 = 124844158. Since I want to change partition 2, I first have to remove it and then recreate it with the label "Everything" (this could be changed if you like). Note: this disk has a GPT layout. For MBR, you should replace Everything by primary or extended (untested, resizing a partition on MBR has not been tested and is not recommended because it is untested).

WARNING: the following commands has destroyed data. Do not copy it without understanding what is happening. The sector dimensions must be changed, otherwise you WILL destroy your partition(s). I am in no way responsible for your stupidness, BACKUP BACKUP BACKUP your data to a second storage medium before risking your data.

(parted) rm 2
(parted) mkpart Everything 250035s 124844158s
Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel? ignore
(parted) p
Model: ATA INTEL SSDSA2CW08 (scsi)
Disk /dev/sda: 156301488s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start    End         Size        File system  Name    Flags
 1      34s      2082s       2049s                    Boot    bios_grub
 3      2083s    250034s     247952s     ext2         RootBoot
 2      250035s  124844158s  124594124s               Everything
(parted) quit

In the above parted example, my sectors are not aligned which is a mistake from an earlier installation, do not pay too much attention to it.

That is it! You can use cryptsetup status and file -Ls /dev/... to verify that everything is OK and then reboot.

Ubuntu – Full disk encryption with dm-crypt (without LUKS)

According to initramfs-tools(8), one can add programs to the initrd image by adding e.g. the following to a hook script:

copy_exec /sbin/cryptsetup /sbin

Example hook scripts can be found in /usr/share/initramfs-tools/hooks and on my Ubuntu system, /usr/share/initramfs-tools/hooks/cryptroot is indeed adding /sbin/cryptsetup to the initrd image.

Example:

$ gzip -dc /boot/initrd.img-`uname -r` | cpio -tv 2>/dev/null | grep cryptsetup
=> No cryptsetup included, yet.

$ cat /etc/initramfs-tools/hooks/fde
#!/bin/sh

. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/cryptsetup /sbin

$ sudo chmod 0755 /etc/initramfs-tools/hooks/fde
$ sudo update-initramfs -u

$ gzip -dc /boot/initrd.img-`uname -r` | cpio -tv 2>/dev/null | grep cryptsetup
-rwxr-xr-x   1 root     root        59248 Aug 21 04:04 sbin/cryptsetup
-rw-r--r--   1 root     root       158848 Aug 21 04:04 lib/x86_64-linux-gnu/libcryptsetup.so.4

Best Answer

Related Solutions

How to shrink a LUKS partition, what does `cryptsetup resize` do

Purpose of the cryptsetup resize command

Resizing the partition with parted

Ubuntu – Full disk encryption with dm-crypt (without LUKS)

Related Question

Purpose of the `cryptsetup resize` command

Resizing the partition with `parted`