deandra.homeip.net

...that GNOME plays nice with LUKS-encrypted portable devices? I sure didn't, until this morning.

(Of course, if you already knew this, then I'm probably not going to tell you anything new, so you can safely skip this article. But hey, you never know, so you might want to read on anyway.)

I've recently purchased a 250GB portable hard disk so that I could keep an off-site copy of my critical data (photos, saved emails, my irreplacable documents, etc.) I have written a quick shell script to rsync this data to a directory on my laptop, and then I TAR it up onto the portable drive. Of course, since the portable drive is stored in my desk at the office, I wanted it to be secured. Simply placing it on an XFS filesystem isn't enough, as there are a couple people in the office who actually know there are operating systems other than Windows out there, and who also know how to access XFS filesystems under Windows.

Enter the encrypted filesystem. I chose to use dm-crypt and cryptsetup for this purpose, as they are easier to work with on Debian than TrueCrypt, and I was curious to see if GNOME's excellent support for auto-mounting removeable USB devices would help me out. To that end, I pre-emptively installed the cryptmount and cryptsetup packages. I also rebuilt my custom kernel to include LVM support and the dm-crypt module. The revised kernel config is attached to my Debian on HP tx1000 page.

To start, I used GParted to shrink the existing NTFS filesystem on the disk, and created a new partition. I didn't put a filesystem on it just yet; there's no point as the encryption setup will kill it anyway.

Next I used cryptsetup to setup the encryption layer on the new partition (/dev/sdb2). I used the following command:

cryptsetup luksFormat /dev/sdb2

This prompted me for a passphrase, which I entered twice.

Now I had to set up the encryption layer so I could create a filesystem on the device. I used this command:

cryptsetup luksOpen /dev/sdb2 backups

After successfully entering the password I'd used earlier, /dev/mapper/backups was created, which is the decrypted version of /dev/sdb2.

OK, so now I can create a filesystem. I used XFS for personal reasons:

mkfs -t xfs -L backups /dev/mapper/backups

Note that I used /dev/mapper/backups instead of /dev/sdb2 for the device name; this is because /dev/sdb2 is encrypted, but /dev/mapper/backups is not. Trying to create a filesystem on /dev/sdb2 at this point would wreck the partition.

Now I shut down the encryption layer:

cryptsetup luksClose backups

and unplugged the drive. On reconnection, GNOME popped up a window stating, "One of the filesystems is encrypted. Enter a passphrase to unlock it." When I entered my passphrase, the volume was automatically unlocked and mounted at /media/backups.

So now I the convenience of auto-mounting removeable devices has been extended to LUKS-encrypted partitions as well, which makes it that much easier to use such devices under Linux. And my backup scripts don't have to worry about it either, which means less coding for me.