1

My linux fileserver has four LUKS-encrypted USB-3 disks. It's a bit confusing to mount them all: while they might get the same drive letters as last time, they might not, which leads to some trial and error.

To mount them, I would normally say something like this (typically for each of c, d, e, and f):

sudo cryptsetup open --type luks /dev/sdc d1
sudo mount /dev/mapper/d1 /d1

(Note that the threat scenario here is someone stealing my hardware. The goal is that when it powers down, it needs me to bring it up again. It is acceptable that the fileserver does not serve files in my absence.)

I can see UUID's in /dev/disk/by-uuid/, though these are not the LUKS UUID's. I suspect they are stable.

I also see USB port info in /dev/disk/by-path/ (not so good, depends where it's plugged in) and WWID's in /dev/disk/by-id/. In both cases, I could construct a short script (to run by hand) that scans for familiar names, uses sed to pull out the drive number, and then executes the two lines above to open and mount the volume.

But perhaps this problem has a better solution. Any suggestions?

jma
  • 425
  • 6
  • 16

2 Answers2

2

I would configure /etc/crypttab and use UUIDs e.g.

usb1     UUID=d665864f-08e1-49ed-9adc-c608deadbeef

which would configure /dev/mapper/usb1 from the relevant disk. You can then use fstab entries etc to mount stuff. During boot the system prompts for the passphrase to unlock the disk, no additional scripting is required.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • That seems quite clever, but note that this system is running headless (and keyboardless). So anything that requests data at boot time will hang the machine and prevent boot. – jma Sep 27 '17 at 06:22
  • @jma In that case note that you can specify a keyfile within `crypttab` that will contain the passphrase, to automatically unlock the volume at boot time. Of course it could have some obvious security caveat, storing the passphrase in a text file... – krisFR Sep 27 '17 at 06:43
  • @jma UUIDs and a script for you then. – user9517 Sep 27 '17 at 06:51
1

In the end, I wrote a short bash script to mount by UUID.

The link above will show the current state (which might include dead), so here's what it looks like today:

#!/bin/bash

# Mount all LUKS partitions that I know about that are connected to
# this machine but not already mounted.

luks_mount() {
    # This is the UUID we can see before luksOpen.
    uuid="$1"
    # Where to mount it.  Should be at the root of the root file
    # system with no trailing slash.  That is, /foo, not /foo/,
    # /foo/bar or simply foo.
    mount_point="$2"
    if [ ! -d $mount_point ]; then
        echo "$mount_point does not exist or is not a directory."
        return
    fi
    root_id=$(stat -c '%D %m' /)
    mount_id=$(stat -c '%D %m' "$mount_point")
    if [ "$root_id" != "$mount_id" ]; then
        echo "$mount_point is already mounted (is not part of the root filesystem)."
        echo "$root_id != $mount_id"
        return
    fi
    if [ ! -e /dev/disk/by-uuid/$uuid ]; then
        echo "LUKS volume for $mount_point not available."
        return
    fi
    drive_letter=$(stat /dev/disk/by-uuid/$uuid -c '%N' | \
                       sed -e 's/^.*sd//;' | \
                       tr -d "'")
    device=/dev/sd$drive_letter;
    mapping=$(echo $mount_point | tr -d /);
    echo "Mounting $mount_point:"
    sudo cryptsetup open --type luks $device $mapping;
    sudo mount /dev/mapper/$mapping /$mapping;
}

luks_mount 4d4bc0a0-e67a-4f9b-8c70-05cfdbf9282c /jma-4t
luks_mount 4b824f8c-94d4-4655-8e56-67ead167ed4c /jma-3t
luks_mount 5d6777f0-f475-451e-bad8-3cdf6e80f7c5 /sb-4t
luks_mount 4ea3852f-8cdd-4ed9-898e-d86a851e0a9c /sb-3t
jma
  • 425
  • 6
  • 16