💾 Archived View for wilw.capsule.town › notes › volume-encryption.gmi captured on 2023-04-19 at 23:18:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

🏡 Home

Back to notes

Encrypting volumes with LUKS

Last updated on 28 September 2022

For sensitive data storage in the cloud, I will usually provision a separate volume, encrypt it, and then use this as the volume mapper for containerised services.

Creating and attaching a volume

I use Linode to host the vast majority of my services. In Linode, new volumes can be easily created and attached to an instance.

After a short while the instance will then recognise the new device and make it available via the OS.

Encrypting the volume

This note assumes your attached volume is mapped as `/dev/sdc` by your system. You can check this using `lsblk`.

This note also assumes you have `cryptsetup` installed. On Alpine Linux, you can install it with `apk add cryptsetup`.

Step 1: Create a LUKS partition:

cryptsetup luksFormat /dev/sdc

Enter the passphrase, etc.

Step 2: Open the partition, entering your passphrase, and provide a "mapper":

cryptsetup luksOpen /dev/sdc mydata

Step 3: Now, create a new filesystem. E.g. for `ext4`:

mkfs.ext4 /dev/mapper/mydata

Step 4: Mount the new filesystem:

mkdir /data
mount /dev/mapper/mydata /data

Step 5: Create a new encryption key and mark it as readonly:

echo "complex string" > /root/data-key
chmod 0400 /root/data-key

Step 6: Add the key to the LUKS setup:

cryptsetup luksAddKey /dev/sdc /root/data-key

Step 7: Get the UUIDs for the devices by running `lsblk -f`. You'll need these for the next steps.

Step 8: Set-up the crypttab by editing `/etc/crypttab` and adding:

mydata    UUID=<LUKS UUID>    /root/data-key    luks

(where `<LUKS UUID>` is the UUID for the LUKS device from above).

This ensures the volume is correctly decrypted at boot.

• *Note: on Alpine Linux there is no crypttab. Instead refer to the section below.**

Step 9: Finally, add an entry for the decrypted volume in `/etc/fstab`:

UUID=<ext4 UUID>   /data  ext4   defaults	0	0

This auto-mounts the decrypted filesystem to `/data` on boot. For `<ext4 UUID>` use the UUID for the filesystem itself that you obtained earlier.

Auto-decrypting on Alpine Linux

Alpine doesn’t use a crypttab to manage the decryption at boot-time. Instead add the following to `/etc/conf.d/dmcrypt`:

target=mydata
source='/dev/sdc'
key='/root/data-key'

And then enable the service at boot:

rc-update add dmcrypt boot

Viewing properties

Run `cryptsetup luksDump /dev/sdc` to view the encryption properties. E.g.:

	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id

Back to notes