💾 Archived View for wilw.capsule.town › notes › volume-encryption.gmi captured on 2024-05-12 at 15:36:21. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
For sensitive data storage in the cloud, I will usually provision a separate volume, encrypt it, and then use this as the volume mapper for containerised services.
I use Linode to host the vast majority of my services. In Linode, new volumes can be easily created and attached to an instance.
After a short while the instance will then recognise the new device and make it available via the OS.
This note assumes your attached volume is mapped as `/dev/sdc` by your system. You can check this using `lsblk`.
This note also assumes you have `cryptsetup` installed. On Alpine Linux, you can install it with `apk add cryptsetup`.
Step 1: Create a LUKS partition:
cryptsetup luksFormat /dev/sdc
Enter the passphrase, etc.
Step 2: Open the partition, entering your passphrase, and provide a "mapper":
cryptsetup luksOpen /dev/sdc mydata
Step 3: Now, create a new filesystem. E.g. for `ext4`:
mkfs.ext4 /dev/mapper/mydata
Step 4: Mount the new filesystem:
mkdir /data mount /dev/mapper/mydata /data
Step 5: Create a new encryption key and mark it as readonly:
echo "complex string" > /root/data-key chmod 0400 /root/data-key
Step 6: Add the key to the LUKS setup:
cryptsetup luksAddKey /dev/sdc /root/data-key
Step 7: Get the UUIDs for the devices by running `lsblk -f`. You'll need these for the next steps.
Step 8: Set-up the crypttab by editing `/etc/crypttab` and adding:
mydata UUID=<LUKS UUID> /root/data-key luks
(where `<LUKS UUID>` is the UUID for the LUKS device from above).
This ensures the volume is correctly decrypted at boot.
Step 9: Finally, add an entry for the decrypted volume in `/etc/fstab`:
UUID=<ext4 UUID> /data ext4 defaults 0 0
This auto-mounts the decrypted filesystem to `/data` on boot. For `<ext4 UUID>` use the UUID for the filesystem itself that you obtained earlier.
Alpine doesn’t use a crypttab to manage the decryption at boot-time. Instead add the following to `/etc/conf.d/dmcrypt`:
target=mydata source='/dev/sdc' key='/root/data-key'
And then enable the service at boot:
rc-update add dmcrypt boot
Run `cryptsetup luksDump /dev/sdc` to view the encryption properties. E.g.:
Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2id