How to encrypt and automount a data partition (system not encrypted)

[pbear]

This is an alternative to full disk encryption. Frankly, I don't worry about someone tampering with the operating system. What I care about are data files. Meanwhile, repairing an encrypted system can be difficult. I encrypt a data partition rather than home because (a) it's easier to manage backups; (b) it's easier to share an encrypted data partition on a multi-boot system; and (c) any advantage at reinstall of recycling /home other than data (e.g., config files) can be captured easily by ordinary copy-and-paste. Main drawback of the strategy is that it isn't supported by the MX installer. Can be done manually, though, by anyone moderately comfortable with command line and editing config files.

There are six steps:

1. Partition setup
2. Installation
3. Encrypt data partition
4. Create crypttab file; Edit fstab; Update initramfs
5. Create mount point and symlinks
6. Reboot to test

Partition setup. I do this with GParted in the live session, before running the installer. Main reason is that Step 3 is easier if the partition already exists. For illustration, I'm using a virtual machine (VirtualBox), BIOS boot, with two partitions: 30 GB each for System and Data partition. A real system might have an EFI parition, a larger system partition, a much larger data partition, and/or other partitions besides those three. The system and data partitions do not need to be on the same drive; for example, the system can be on an SSD and the data partiton on a separate HDD.

Installation. Same as usual, except need to use manual method (Customize the disk layout) to preserve the partition table. No home partition; will be a mere directory on the system partition. No need for a swap partition, though it's supported; if none, will get a swap file. I prefer to enable autologin on the user account screen, on the theory the data partition's LUKS password becomes, in effect, the login password.

Encrypt data partition. Shut down live session, then boot into installed system. Can do usual other steps first (e.g., update, setup, Timeshift) or wait until after have set up data partition. For the latter, open Terminal and run three commands in this form:

Code: Select all

sudo cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 -v luksFormat /dev/sda2
sudo cryptsetup -v luksOpen /dev/sda2 Data
sudo mkfs -t ext4 -L Data /dev/mapper/Data

Note: Modify /dev/sda2 if (as is likely) the data partition is located elsewhere. Another label may be used if preferred, e.g., Data-Files, but avoid spaces.

Create crypttab; Edit fstab; Update initramfs.

Code: Select all

lsblk -f
echo "Data   UUID=<copy-from-lsblk>   none   luks,discard" | sudo tee -a /etc/crypttab
echo "/dev/mapper/Data   /data   ext4   defaults,noatime,nofail   0   2" | sudo tee -a /etc/fstab
sudo update-initramfs -u

Note: The UUID to copy for crypttab is the LUKS container, in this case sda2, not the decrypted file system. A text editor could be used to create crypttab and edit fstab; tee just seems to me easier. The discard parameter for crypttab is only useful for an SSD (enables trim), but harmless for an HDD; can be omitted for the latter if you prefer things tidy. If using a different mount point (see next), modify the fstab command to match.

Create mount point and symlinks.

Code: Select all

sudo mkdir /data ; sudo mount -a ; sudo chown -R $USER:$USER /data
mv $HOME/Documents /data ; sudo mv $HOME/Downloads /data ; sudo mv $HOME/Music /data ; sudo mv $HOME/Pictures /data ; sudo mv $HOME/Videos /data
ln -s /data/Documents $HOME  ; ln -s /data/Downloads $HOME ; ln -s /data/Music $HOME ; ln -s /data/Pictures $HOME  ; ln -s /data/Videos $HOME
sudo umount /data ; sudo chown root:root /data

Note: These commands move the Big Five folders in Home to the data partition, then symlink them back. The upshot is that the folders are visible in Home, but actually located on the data partition. Mounting at /data is non-standard under the Filesystem Hierarchy Standard; /media and /mnt don't really fit either, though, so might as well use something clear and simple. If you prefer to mount in /media or /mnt, that works also; of course, modify the commands to match.

Reboot to test. Main thing we are testing is whether the LUKS password for the data partition (a) is required and (b) sufficient to reach the desktop. Also, open File Manager to make sure the Big Five folders show as symlinks.

Recap. I think it helps understand the process to see how things turn out in the end.

Code: Select all

lsblk -f
NAME     FSTYPE      FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda                                                                                   
├─sda1   ext4        1.0   System f18cdee9-912a-4a89-9015-5077287063b4   19.1G    30% /
└─sda2   crypto_LUKS 2            6bf7e64b-8c93-41ee-8072-3fbd7ff231c2                
  └─Data ext4        1.0   Data   cac554cb-4d82-4a43-9388-a6bb18cf906f   27.8G     0% /data
sr0

Code: Select all

cat /etc/crypttab
Data   UUID=6bf7e64b-8c93-41ee-8072-3fbd7ff231c2   none   luks,discard

Code: Select all

cat /etc/fstab
# Pluggable devices are handled by uDev, they are not in fstab
UUID=f18cdee9-912a-4a89-9015-5077287063b4 / ext4 noatime 0 1
/swapfile swap swap defaults 0 0
/dev/mapper/Data   /data   ext4   defaults,noatime,nofail   0   2

Note: During installation (MX-23), I modified /swap/swap to /swapfile, because that's the standard configuration and works fine with ext4. The change has no relevance to this tutorial; the installer's default would have worked just as well. Likewise, I've set the 'dump' parameter in fstab to zero, because that's what I'm used to; the MX default of '1' is harmless AFAIK.

Other Notes:

If something bad happens to encrypted data, no form of data recovery can help. Don't be the person who says, "Yeah, yeah, I know I should have ... " The backup can be encrypted or not as appropriate under the circumstances.

Other folders in home can be moved to the data partition if you want them to be encrypted. Two likely candidates are .mozilla (for Firefox) and .thunderbird (especially if you like to archive emails). As with the regular Big Five, symlink the folders from the data partition back into home at their usual location.

VirtualBox access. Be aware, VBox's shared folder function cannot access files through symlinks. (This is true whether or not encryption is in play.) If you want guests to have access to the host's data partition, you must specify the mount point (or one-or-more of its sub-folders) as the shared folder. I don't know how other virtualization apps handle symlinks.

Backup LUKS header. The header is the Achilles heel of an encrypted volume. If it gets corrupted, the volume cannot be opened. To backup, sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file luksheader-data. Move from current directory (usually $HOME) to a location where it will be backed up as a matter of course. The header isn't sensitive (can't be read by a hacker), so doesn't need to be saved in an encrypted location. To restore, copy back to current directory and run sudo cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file luksheader-data.

Encrypted system. The procedure described above works fine with system encryption (i.e., encrypting both partitions) if you don't mind entering two passwords (or the same password twice). You can boot with a single password, though, if you mount the data partition with a keyfile saved inside the encrypted system partition. After encrypting the data partition per Step 3, create the keyfile and add as an additional key:

Code: Select all

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
sudo chmod 0400 /root/.keyfile
sudo cryptsetup luksAddKey /dev/sda2 /root/.keyfile

In Step 4, replace the crypttab command with echo "Data UUID=<copy-from-lsblk> /root/.keyfile luks,discard" | sudo tee -a /etc/crypttab. crypttab ends up with two lines, one for each partition.

cryptsetup. If not familiar, start with the man page. Then, like most thing Linux, do some research on the internet.

[thomasl]

Very good write-up . Two remarks:

1. Another viable data encryption method is VeraCrypt. The main advantage of this is that the encrypted partition can be opened from a Windows system as well (so this is mostly of interest to people who are dual booting). I've done this sharing of a VeraCrypted volume (NTFS-formatted) between Linux and Windows for a number of years but as the number of programs I use in bare-metal Windows (as opposed to Windows in a VM) has dwindled to 2, I very rarely these days boot even into Windows so I now have reformatted the VeraCrypt partition as ext4 (not least because the system runs faster that way).

I would supply everything that's needed to use VeraCrypt instead of LUKS but I am working from a frugal install so I can't really give the level of precise detail that's required for an installed system.

2.

VirtualBox access. Be aware, VBox's shared folder function cannot access files through symlinks. (This is true whether or not encryption is in play.) If you want guests to have access to the host's data partition, you must specify the mount point (or one-or-more of its sub-folders) as the shared folder. I don't know how other virtualization apps handle symlinks.

Hm... I may well totally misunderstand what you're talking about but here VBox (both the 6.x and 7.x versions) does support symlinks as shared folders. In fact, my three shared folders are all symlinks and they work perfectly well in the Windows VM. Could you please clarify?

[l0dr3]

VBox (both the 6.x and 7.x versions) does support symlinks as shared folders. ...

depends on how the module is loaded ...

Code: Select all

modinfo vboxsf
filename:       /lib/modules/6.4.2/kernel/fs/vboxsf/vboxsf.ko
alias:          fs-vboxsf
license:        GPL v2
author:         Oracle Corporation
description:    Oracle VM VirtualBox Module for Host File System Access
depends:        vboxguest
retpoline:      Y
intree:         Y
name:           vboxsf
<snip>

parm:           follow_symlinks:Let host resolve symlinks rather than showing them (int)

regards

l0dr3

[thomasl]

Thanks, @l0dr3, for that.

Didn't know this (or if I did, have long forgotten ). Not sure what the OOTB state is but in my case VBox has always accepted symlinks... but then again, my original install is many years old so I may well have fiddled with this.

[pbear]

Two remarks:

Thanks for the kind words.

VeraCrypt. Good point. I used to use the app (for sharing between Linux and Window) and it's very good. Also, I've noticed in my reading that it's supported by cryptsetup, so I assume can be set up to automount the same as a LUKS-encrypted data partition. Have never had occasion to work out details, though. If anyone knows and wants to post, please feel free to post in this thread.

VirtualBox. A bit off-topic, actually. I slipped that in at the last moment because I was brain-storming 'What can go wrong?' Maybe there's a way to get symlinks to work in a VBox guest, but my uniform experience, confirmed last night with MX-23 and VBox 7.0.8, is that a shared folder can't access files through a symlink. Again, if anyone knows a workaround, please feel free to post in this thread.

[CharlesV]

Thanks for the kind words.

VeraCrypt. Good point. I used to use the app (for sharing between Linux and Window) and it's very good. Also, I've noticed in my reading that it's supported by cryptsetup, so I assume can be set up to automount the same as a LUKS-encrypted data partition. Have never had occasion to work out details, though. If anyone knows and wants to post, please feel free to post in this thread.

VirtualBox. A bit off-topic, actually. I slipped that in at the last moment because I was brain-storming 'What can go wrong?' Maybe there's a way to get symlinks to work in a VBox guest, but my uniform experience, confirmed last night with MX-23 and VBox 7.0.8, is that a shared folder can't access files through a symlink. Again, if anyone knows a workaround, please feel free to post in this thread.

Very nice post! I am also a veracrypt fan and prefer to use that for real encrypted areas. My main reasons... its portable and also I can mount it when and if I need too.

And I agree with the VB symlink issue, I have never been able to get them to work.

[l0dr3]

And I agree with the VB symlink issue, I have never been able to get them to work.

I can say (just checked), definitely, symlink-resolving works with VBox v6.1.38 on Windows-HOST with Windows-GUESTs.

Probably they won't work in

a.)Windows-Linux
b.)VBox V7.x.x

scenarios

???

l0dr3

[CharlesV]

For me:
__ Linux host & guest
__ Shared VB directory
__ In that shared directory a symlink to a another directory.

all works on the host. In the guest, there is a file with the symlink arrow and an X . When clicked, thunar asks how to open it - nothing works.

[thomasl]

Well, as I wrote in post #2, both my Linux hosts (VBox 6.1 on MX19 and VBox 7.0 on MX23) support symlinks as shared folders for a Windows7 and a Windows10 VM (and did so for a long time). I have to the best of my knowledge not changed any settings in VBox to get there... though I could have done so and clean forgot about it.

I agree with @pbear that a VeraCrypt version would be great... perhaps someone with the know-how can provide that.

[l0dr3]

For me:
__ Linux host & guest
__ Shared VB directory
__ In that shared directory a symlink to a another directory.

all works on the host. In the guest, there is a file with the symlink arrow and an X . When clicked, thunar asks how to open it - nothing works.

confirm that - just tested: MX23-HOST vs. MX23-Guest: broken symlink

Not my 'trouble spot' ATM, but here are the links that helped me to make it run in WIN-WIN scenario

https://www.speich.net/articles/en/2018 ... -guest-os/
https://superuser.com/questions/124679/ ... ser#125981

regards

l0dr3