5

I want to access a LUKS encrypted data partition after login, ideally without typing a password, obviously in a secure way.

My home directory is also encrypted with LUKS.

I found this tutorial: https://ubuntuforums.org/showthread.php?t=837416.

It feels completely un-safe to me as anyone booting a live cd can access the root directory, thus the key, thus de-crypt the data of the other partition.

Here is what I have done so far,

Create a new key:

sudo dd if=/dev/urandom of=$HOME/.data_crypt_keyfile bs=1024 count=4

Make it read-only to root:

sudo chmod 0400 $HOME/.data_crypt_keyfile

Add this new key to the LUKS key slots:

sudo cryptsetup luksAddKey /dev/sdc1 $HOME/.data_crypt_keyfile

How do I automatically open this partition after login, and close it when logging-out?

Victor Lamoine
  • 2,321

2 Answers2

2

If your home folder itself is encrypted by LUKS, there should be no way for the key to be read without the home folder being decrypted (which only happens when you're logged in).

As long as the keyfile is actually read from your user directory (/home/<whatever>) and not /root, you should be okay.

As for auto-mount on login, you can use a simple script in your Startup Applications list (run after login succeeds, so it will work as long as you're mounting this drive to userspace). For logout, you can set it up to unmount when you kill your X session.

In short, you would do the following:

  1. Create a small script that will unmount the encrypted drive from wherever it's mounted
  2. Add this to session-cleanup-script in /etc/lightdm/lightdm.conf. This will run whenever any session is killed, so this may not be the best option.

Caveats

  • As mentioned before, the auto-logout script runs when any X session is terminated, so it's likely that your drive may be accidentally unmounted when another user logs out of your concurrent session. However, this won't be an issue if you're an only user who keeps only a single X session running.
  • Similarly, you NEED to keep an X session open, even in a TTY, unless you want to manually mount/unmount the device.
Community
  • 1
Kaz Wolfe
  • 34,122
  • 21
  • 114
  • 172
  • cryptsetup requires sudo access so a simple startup script doesn't work. I allowed cryptsetup for my login in the sudoers file but I am not sure if it is a good idea. I'll keep digging and write an answer when I have something satisfying. – Victor Lamoine Sep 02 '16 at 07:30
1

You can use "pam_mount".

You will need the same password for your user and partition. And also it will not umount the partition after logout.

Here is the explanation that helped me get what I needed for my setup.

earthmeLon
  • 11,247
Nick
  • 11