one137

Theme: 

Encrypt-at-rest 2nd drive (cryptsetup)

Uses

# Umount then close/lock the encrypted container
sudo umount ~/Documents ~/Downloads /mnt/personal
sudo cryptsetup close personal
 
# Open an encrypted volume
sudo cryptsetup open /dev/nvme1n1 personal # using passphrase, or:
sudo cryptsetup open /dev/nvme1n1 personal --key-file=/etc/luks-keys/personal.key
# Mount again
sudo mount ~/Documents ~/Downloads /mnt/personal # or
sudo mount -a # everything listed in fstab
# See all block devices, their encryption, uuid, etc.
lsblk -o NAME,MODEL,SIZE,FSTYPE,FSVER,UUID,MOUNTPOINTS,FSUSE%
 
# Check if encrypted device is open
sudo cryptsetup status personal
 
# List all open encrypted devices
sudo dmsetup ls --tree
 
# Show LUKS header info (key slots, cipher, etc)
sudo cryptsetup luksDump /dev/nvme1n1

Setup

Encryption and Keys

# Encrypt the entire drive, e.g. using same passphrase as system drive
sudo cryptsetup luksFormat --type luks2 /dev/nvme1n1
# Create a secure directory for key files
sudo mkdir -p /etc/luks-keys
sudo chmod 700 /etc/luks-keys
 
# Generate a random key file
sudo dd if=/dev/urandom of=/etc/luks-keys/personal.key bs=4096 count=1
sudo chmod 600 /etc/luks-keys/personal.key
 
# Add the key file to the LUKS volume (so it can unlock with either passphrase OR key file)
sudo cryptsetup luksAddKey /dev/nvme1n1 /etc/luks-keys/personal.key

BTRFS Formatting and Subvolumes

# Create BTRFS filesystem
sudo mkfs.btrfs -L personal /dev/mapper/personal
 
# Mount temporarily to create subvolumes
sudo mkdir -p /mnt/personal
sudo mount /dev/mapper/personal /mnt/personal
 
# Create subvolumes
sudo btrfs subvolume create /mnt/personal/@documents
sudo btrfs subvolume create /mnt/personal/@downloads
 
# Unmount
sudo umount /mnt/personal

Auto-decrypt and Auto-mount

# Add to /etc/crypttab (the LUKS uuid, not the BTRFS one):
personal    UUID=<drive-uuid>    /etc/luks-keys/personal.key    luks
# Add to /etc/fstab:
/dev/mapper/personal    /mnt/personal    btrfs    subvolid=5,noatime,compress=zstd    0 0 # For admin tasks such as btrfs backups
/dev/mapper/personal    /home/username>/Documents    btrfs    subvol=@documents,noatime,compress=zstd    0 0
/dev/mapper/personal    /home/username>/Downloads    btrfs    subvol=@downloads,noatime,compress=zstd    0 0

Data Migration and Test

# Mount everything
sudo mount -a
 
# Move existing data
mv ~/Documents ~/Documents-bak
mv ~/Downloads ~/Downloads-bak
 
mv ~/Documents-bak/* ~/Documents-bak/.* ~/Documents/
mv ~/Downloads-bak/* ~/Downloads-bak/.* ~/Downloads/
 
ls -alR ~/Documents-bak ~/Downloads-bak
rm -d ~/Documents-bak ~/Downloads-bak
 
# Set proper ownership
sudo chown -R $(whoami):$(whoami) ~/Documents ~/Downloads
sudo reboot # check auto-mount and auto-decrypt
 
lsblk -f
df -h | grep personal