Mounting and Unmounting a LUKS Encrypted USB Volume
Mounting and Unmounting a LUKS Encrypted USB Volume
This process also works for hard drives.
Basic commands to view the disks/USB devices:
- blkid
- duf
- lsblk
- lsblk -a
- lsblk -o +UUID,PARTUUID
- lsblk -o +UUID,FSTYPE,PARTUUID
- ls -lF /dev/disk/by-id
- sudo lshw -short -C disk
- sudo udisksctl info -b /dev/??
01. USB drive has not been inserted (plugged in) yet.
To see volumes type:
lsblk
02. GUI password prompt when encrypted drive is plugged in (I clicked cancel to demonstrate mounting from commandline).
03. USB drive inserted (plugged in) and showing as /dev/sdm1.
To see volumes type:
lsblk
04. Check the volume information type:
sudo udisksctl info -b /dev/sdm1
or
sudo cryptsetup isLuks -v /dev/sdm1
The volume /dev/sdm1 shows as "crypto_LUKS".
05. If you try to mount the locked LUKS encrypted volume it will fail. (Screenshot shows mount failed. This is because the volume is locked. Run cryptsetup first to unlock.).
06. Running cryptsetup to unlock the encrypted volume (Assigning alias of "2T_SSD" to reference the unlocked volume. The alias can be whatever you want.).
To open the encrypted filesystem type:
sudo cryptsetup luksOpen /dev/sdm1 2T_SSD
07. Decrypted volume showing as 2T_SSD, but not yet mounted.
To see the unlocked volume type:
lsblk
08. Decrypted volume alias "2T_SSD" showing under /dev/mapper.
Check /dev/mapper to see if your alias is there:
ls -al /dev/mapper
09. Password prompt when using sudo to mount decrypted 2T_SSD volume to /dev/m.
To mount your alias to a mount point type:
sudo mount /dev/mapper/2T_SSD /mnt/m
10. Decrypted volume showing unlocked and mounted at /mnt/m.
To see volumes type:
lsblk
11. Unmounting /mnt/m.
To unmount the volume type:
sudo umount /mnt/m
12. Closing cryptsetup session (Locking it).
To close the volume type:
sudo cryptsetup close 2T_SSD
13. USB drive unmounted and unplugged from system.
To see volumes type:
lsblk
Mount a USB volume and use umask to allow "other" full access.
sudo mount /dev/sdi1 /mnt/i -o umask=000,utf8
Automatically mount using fstab.
You can automatically mount by UUID if you want the mount points to consistently mount to the same device. Each partition on a drive will have its own UUID.
Use this to find the UUID:
lsblk -o +UUID,PARTUUID
In fstab;
UUID=FC3E-233D /mnt/i auto user,umask=000,utf8 0 0
UUID=B06E-CC89 /mnt/c auto user,umask=000,utf8 0 0
UUID=02608207608201A1 /mnt/h auto user,umask=000,utf8 0 0
After editing the fstab file, run 'systemctl daemon-reload' to update systemd
Luks Header Backup and Restore
https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/
Creating LUKS Header Backup:
Syntax: sudo cryptsetup luksHeaderBackup /dev/XXX --header-backup-file myfile.bin
Example:
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file my_luks_header.bin
sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file my_luks_header.bin
Side note:
The permission on the bin files that are created are 400 and the owner is root.
Check the file type:
sudo file my_luks_header.bin
my_luks_header.bin: LUKS encrypted file, ver 2 [, , sha256] UUID: 9e5f5c4b-a4bb-464a-80c6-118c22e35e8f
Use luksDump to view information about the file:
sudo cryptsetup luksDump my_luks_header.bin
Restoring LUKS header when needed:
cryptsetup luksHeaderRestore /dev/XXX --header-backup-file /path/to/my_luks_header.bin
Assuming that your header file is on /dev/external/volume
cryptsetup luksHeaderRestore /dev/md1 --header-backup-file /dev/external/volume/my_luks_header.bin
WARNING!
========
Device /dev/XXX already contains LUKS2 header. Replacing header will destroy existing keyslots.
Are you sure? (Type uppercase yes): YES