Mount LUKS encrypted SD card at boot up
This is a note-to-self and robbery from HOWTO: Automatically Unlock LUKS Encrypted Drives With A Keyfile by Stephan Jau.
My libreboot x200 has a 250GB SSD and it sometimes feels a little bit too small and I had a 64GB SD card lying around and decided to try to set it up a semi-permanent second storage with these goals in mind:
LUKS/dm-crypt encrypted.
Auto mount at boot.
The idea
We encrypt the SD card with a key file that lives in the encrypted primary volume-group so during boot up we first decrypt the root file system and then the SD card.
In hindsight maybe I should have extended the primary root volume group using LVM instead but let's get started!
Delete any partitions
Since we are dealing with a smallish SD card I see no point of having partitions.
# fdisk /dev/sdX
Then 'd' (repeatedly) to delete any partitions followed by 'w' to write the changes.
Create 4096 random bit keyfile
We create a 4066 bit keyfile and make it readable only to root.
# dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
# chmod 0400 /root/keyfile
Setting up LUKS
In this step we will encrypt the device with our keyfile and setup a file system (ext4).
We assume the SD card is located at /dev/sdX.
# cryptsetup --key-file /root/keyfile luksFormat /dev/sdX
# cryptsetup --key-file /root/keyfile open --type luks /dev/sdX mappingName
# mkfs.ext4 /dev/mapper/mappingName
# cryptsetup close mappingName
Setting up boot stuff
First find the UUID of the device.
# blkid /dev/sdX
Suppose it is 727cac18-044b-4504-87f1-a5aefa774bda.
Add the following line to /etc/crypttab:
sdX_crypt /dev/disk/by-uuid/727cac18-044b-4504-87f1-a5aefa774bda/root/keyfile luks
Then finally add the following to /etc/fstab:
/dev/mapper/sdX_crypt /media/hav0 ext4 defaults 0 2
That it! Try it out by executing mount -a.