DEV Community

georam
georam

Posted on

1 1

Mounting a second encrypted hard drive automatically under Debian or Ubuntu

It´s a good pratice to encrypt all your hard drives to keep good security for your data at rest. Either you store sensitive private or corporate data, to protect it from theft or that you do not have to delete ot when you remove and sell a drive.

When you run full disk encryption under Debian with luks and your want to add a second drive to your machine that get´s automatically decrypted when you boot and provide your startup credentials you can do this with following steps:

  • install your second hard drive in your machine
  • get the device name parted -l e.g. /dev/sdd
  • create a new gpt partition table parted /dev/sdd mklabel gpt
  • create a new partition on the disk parted -a opt /dev/sdd mkpart primary ext4 0% 100%

Now you should see your new partition with `parted -l´

The next steps encrypts our new partition with a passphrase and opens it as mapper device under /dev/mapper and creates an ext4 filesystem:

  • encrypt the partition: cryptsetup --iter-time 5000 --use-random luksFormat --type luks2 /dev/sdd1
  • open it: cryptsetup open /dev/sdd1 local_storage
  • create ext4 filesystem: mkfs.ext4 /dev/mapper/local_storage

To decrypt the disk autmatically at startup we generate a keyfile, add it to the keystore of the newly encrypted partition and store the keyfile on our root harddrive.

  • create a keyfile on your os hard drive: dd if=/dev/random of=/root/.local_storage-keyfile bs=1024 count=4
  • change the permission so that only the root user can read it: chmod 0400 /root/.local_storage-keyfile
  • Add the key to the encrypted partition: cryptsetup luksAddKey /dev/sdd1 /root/.local_storage-keyfile

An entry in /etc/crypttab will do the magic and does the decryption automatically with our keyfile:

  • get your disk uuid with blkid
  • add a new line to /etc/crypttab with your chosen device name: local_storage UUID=<your UUID from blkid> /root/.local_storage-keyfile luks,discard

You can also add an aoutmount with an entry in /etc/fstab with the device name /dev/mapper/local_storage if you wish.

When you now reboot your second harddrive now get decrypted automatically and if you wish mounted in your filesystem via /etc/fstab.

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (1)

Collapse
 
bordeux profile image

get your disk uuid with blkid

What kind of disk? local_storage or /dev/sdd1?

// after use my brain:
it should be uuid of /dev/ssd1 :)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay