HOWTO Setup encrypted external drive mounted at boot

Share your own howto's etc. Not for support questions!

HOWTO Setup encrypted external drive mounted at boot

Postby tylerdurden » 2018-07-11 15:34

This explains how I encrypted an external 1Tb hard drive with an XFS file system which is mounted automatically at boot when present. I'm using it for backup purposes.

System used:

Code: Select all
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux


1. DISK SETUP

This assumes the device is /dev/sdb.
Everything must be done as root.

Partition disk if needed by setting up a Linux lvm partition:
Code: Select all
$ cfdisk /dev/sdb

or
Code: Select all
$ fdisk /dev/sdb


Wipe the partition. WARNING: will take a while.
Code: Select all
$ dd if=/dev/zero of=/dev/sdb bs=4M


Setup encryption on device:
Code: Select all
$ cryptsetup luksFormat /dev/sdb1


Open encrypted partition:
Code: Select all
$ cryptsetup luksOpen /dev/sdb1 backup  # creates /dev/mapper/backup


Create XFS file system:
Code: Select all
$ mkfs.xfs /dev/mapper/backup           # install "xfsprogs" if absent


2. MOUNTPOINT SETUP

Allow device, if present, to be mounted automatically at boot, and be prompted for password.

Create mountpoint, e.g. /backup
Code: Select all
$ mkdir /backup


Find out UUID of /dev/sdb1 with any of the following:
Code: Select all
$ blkid
$ ls -lha /dev/disk/by-uuid
$ lsblk -f


For instance:
Code: Select all
$ lsblk -f
sdb                                                                             
└─sdb1                  crypto_LUKS       e616b645-de31-46d0-9cf6-82e10d4f861b   
  └─backup              xfs               b9931a95-3197-41d4-943f-69af29fc6eb8


Edit /etc/crypttab by adding the following line:
Code: Select all
backup  UUID=<uuid of /dev/sdb1>     none    luks,nofail


"None" means the system will ask for the password as we're not using a keyfile. The "nofail" option will ensure that the system doesn't hang when the device isn't present. See "man crypttab" for more options.

Add the encrypted file system to /etc/fstab:
Code: Select all
/dev/mapper/backup  /backup     xfs     nofail,noatime,rw,user,x-systemd.device-timeout=30  0   2

The systemd device timeout is optional. See here for more info.

Mount all with:
Code: Select all
mount -a


Reboot the system. While booting, the system will attempt to mount the device and prompt for a password, if it's plugged in. If not, it will ignore it.

3. ALLOW USERS TO WRITE TO EXTERNAL HARD DRIVE

Allow users to read and write to the external harddrive without changing ownership and permissions of the mountpoint /backup when the device is not mounted.

As root, mount /backup and then change ownership as needed. For instance:
Code: Select all
$ mount /backup
$ chown user:users /backup


When mounted, ownership/permissions will then be:
Code: Select all
$ ls -ld /backup

    drwxr-xr-x 3 user users 57 jui 11 00:46 /backup


When not mounted, ownership/permissions will be:
Code: Select all
$ ls -ld /backup
   
    drwxr-xr-x 2 root root 4096 jui 10 20:05 /backup


When the external hard drive is plugged in, the system will notify you and ask for a password. Alternatively, mount the drive from the desktop. It will ask you to provide the password for device /dev/mapper/backup. It will be mounted under /backup if you followed this tutorial.

Hope this is useful. Comments and additional tips are welcome.
Last edited by tylerdurden on 2018-07-11 17:01, edited 1 time in total.
Debian 9.5 Stretch
User avatar
tylerdurden
 
Posts: 1
Joined: 2018-07-11 14:43
Location: /home

Re: HOWTO Setup encrypted external drive mounted at boot

Postby cds60601 » 2018-07-11 16:13

See this thread for an alternative way (possibly easier)
http://forums.debian.net/viewtopic.php?f=5&t=137674#p674155
Yeah, 220, 221. Whatever it takes.
Server: Debian 9 (Stretch) Workstation: Archlinux
User avatar
cds60601
 
Posts: 136
Joined: 2017-11-25 05:58


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 0 guests

fashionable