Auto mount a disk that is encrypted with luks

Overview

The anaconda installer can ask you if you want to encrypt a partition when you are setting up a new system.
What if after the fact you want to add an encrypted disk that is auto-mounted at boot?
This post explains how to prepare a new partition that is encrypted and configure your system to mount it at boot. This guide is aimed at Fedora -based systems like RHEL and CentOS, and tested specifically on CentOS 7.3.

Preparing the system and disk

Ensure package cryptsetup is installed.

yum -y install cryptsetup

Prepare a valid disk and partition which the system can find.
Make a partition of the preferred size and of type Linux filesystem or Linux reserved.

# sudo fdisk /dev/vdb
Command (m for help): p
Disk /dev/vdb: 16.1 GB, 16106127360 bytes, 31457280 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: gpt
#         Start          End    Size  Type            Name
 1         2048     31457246     15G  Linux reserved

The example partition in this post is /dev/vdb1.

Initializing the encrypted partition

Perform the initial setup of the encrypted partition. The dash here means it will prompt for a password (or accept it from standard input).

cryptsetup luksFormat /dev/vdb1 -
# cryptsetup luksFormat /dev/vdb1 -

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase:

Get the UUID of the partition using the blkid command.

blkid
# blkid
/dev/vdb1: UUID="b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b" TYPE="crypto_LUKS" PARTUUID="6614fac8-8d0c-45dd-a1a7-b799248bc370"

To get just the sole output you need:

thisblockid=$( blkid /dev/vdb1 -o value | head -n1 )

To open the encrypted partition, use luksOpen.

­cryptsetup luksOpen /dev/vdb1 "luks-${thisblockid}"
# cryptsetup luksOpen /dev/vdb1 luks-$( blkid /dev/vdb1 -o value | head -n1 )
Enter passphrase for /dev/vdb1: 
# ll /dev/mapper
lrwxrwxrwx. 1 root root       7 Jul  9 16:08 luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -> ../dm-2

Now the /dev/mapper/luks-${thisblockid} path exists.
Make a filesystem of your choice.

mkfs.ext4 /dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b

Now you can mount this wherever you wish.

Mounting the encrypted partition automatically

To mount this encrypted partition at boot, you will need to modify /etc/fstab and /etc/crypttab.
Add to /etc/fstab an entry:

/dev/mapper/luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b   /mnt/foo        ext4    defaul
ts        0 0

Add to /etc/crypttab an entry:

luks-b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b UUID=b8f055d6-cd91-43e8-afbc-85fa1f6d3d7b -

Now for each boot, you will be prompted to provide the luks passphrase before it can mount the specified mount point (in this case, /mnt/foo). The system will fail to boot completely if you do not provide the passphrase, even for an unimportant directory like /mnt/foo: It will drop into single-user mode.

References

Weblinks

  1. Guide to placing a keyfile on a USB flash drive https://askubuntu.com/a/90911/533065
  2. Inspiration for learning this topic http://vsnapshots.blogspot.com/2014/07/well-i-thought-id-have-quiet-year-and.html

Man pages

crypttab
cryptsetup