Hi guys!
I have a Surface laptop, which I want to use again with a microSD as external storage. Since this can be easily pulled off from the laptop, I want it to be encrypted. This was encrypted before, but eventually the SD failed, and I’m trying to recreate what I had…without much success.
Steps so far… Create the LUKS volume:
cryptsetup luksFormat /dev/sda
Format in ext4 (I believe it was in Exfat with the old SD?):
#cryptsetup open /dev/sda encrypted
#mkfs.ext4 /dev/mapper/encrypted
That should do it regarding the volume creation. Now comes what I can’t quite get working. I created a pw txt file within my home folder:
/home/user/EncryptedSD.txt
Then I refer to this via /etc/crypttab at boot:
encrypted /dev/sda /home/user/EncryptedSD.txt
And my /etc/fstab should attempt to mount this on the spot:
/dev/mapper/encrypted /media/SDCard ext4 auto,nofail,rw
However, as this is set, I’m being prompted halfway through boot for the password. And I can’t type anything onto that field. Not that it matters, as it’s a really long randomly generated password, no way I could remember it.
Even if I managed to make it go through boot, I’m still prompted for mounting the drive when I clicked on it, and I’m also prompted for the password, so clearly something’s not quite there yet. Any ideas? I intend to sync a series of network folders to this drive, so not being ready can make it a bit messier to sync at boot.
Thanks!
You have to add the file as a key file. Just adding the password to the file isn’t enough.
Thanks! I think you’re onto something here. SOrry what’s the purpose of adding the key? Does it get stored in cryptsetup’s internal storage so you never have to input it again?
I’m not sure about the details but as far as I know luks has a long internal key that is used to encrypt the whole drive. This master key is encrypted with your passphrase and that encrypted key is stored on the drive.
When you add a file as a key the master key is encrypted using the binary contents of that file and stored as well. The contents of the file are basically an additional pass phrase.
So when it tries to decrypt the drive at boot it first tries to use the key file you give it. When that fails it asks for the pass phrase.
When you made the file
EncryptedSD.txtit did not contain the same binary data as the pass phrase you created. Probably due to an additional newline or two. To get around that you add the whole file as it is as a valid decryption key.Often people might create an extra long key on an extra USB stick. Or if you want to decrypt the drive automatically with the option of setting up a pass phrase later you can initially create the volume only with a key file stored on the boot drive or so.
…I think you have something here. If I create a random password and save it via nano on a brand new file, and use this file as passphrase during the initial creation…it then doesn’t let me open the encrypted device. It says no key available with this passphrase. When you input the cryptsetup open, you’re only allowed to manually type the passphrase (it no longer accepts a file with the passphrase, I think). Curiously, both the file and the passphrase I type manually…are pasted from the clipboard from the same password randomly generated on bitwarden and then copied to the clipboard. And yet, it seems something doesn’t match.
EDIT: Seems when you ‘open’ with a file, the appropiate way is
cryptsetup luksOpen /dev/sda encrypted --key-file /home/user/encryptedSD.txt