It´s a good pratice to encrypt all your hard drives to keep good security for your data at rest. Either you store sensitive private or corporate data, to protect it from theft or that you do not have to delete ot when you remove and sell a drive.
When you run full disk encryption under Debian with luks and your want to add a second drive to your machine that get´s automatically decrypted when you boot and provide your startup credentials you can do this with following steps:
- install your second hard drive in your machine
- get the device name
parted -l
e.g. /dev/sdd - create a new gpt partition table
parted /dev/sdd mklabel gpt
- create a new partition on the disk
parted -a opt /dev/sdd mkpart primary ext4 0% 100%
Now you should see your new partition with `parted -l´
The next steps encrypts our new partition with a passphrase and opens it as mapper device under /dev/mapper and creates an ext4 filesystem:
- encrypt the partition:
cryptsetup --iter-time 5000 --use-random luksFormat --type luks2 /dev/sdd1
- open it:
cryptsetup open /dev/sdd1 local_storage
- create ext4 filesystem:
mkfs.ext4 /dev/mapper/local_storage
To decrypt the disk autmatically at startup we generate a keyfile, add it to the keystore of the newly encrypted partition and store the keyfile on our root harddrive.
- create a keyfile on your os hard drive:
dd if=/dev/random of=/root/.local_storage-keyfile bs=1024 count=4
- change the permission so that only the root user can read it:
chmod 0400 /root/.local_storage-keyfile
- Add the key to the encrypted partition:
cryptsetup luksAddKey /dev/sdd1 /root/.local_storage-keyfile
An entry in /etc/crypttab will do the magic and does the decryption automatically with our keyfile:
- get your disk uuid with
blkid
- add a new line to /etc/crypttab with your chosen device name:
local_storage UUID=<your UUID from blkid> /root/.local_storage-keyfile luks,discard
You can also add an aoutmount with an entry in /etc/fstab with the device name /dev/mapper/local_storage if you wish.
When you now reboot your second harddrive now get decrypted automatically and if you wish mounted in your filesystem via /etc/fstab.
Top comments (1)
What kind of disk? local_storage or /dev/sdd1?
// after use my brain:
it should be uuid of /dev/ssd1 :)