On 8/1/18 3:47 PM, Carles Pina i Estany wrote:
>
> Hi,
>
> I have a Debian Stretch and recently I added a new cyphered partition.
> All works well but I don't understand why and it's bothering me.
*snip*
> A question would be:
> a) How to enter the passphrase only once?
> b) When/where (scripts) and how is the passphrase stored?
a) Short version:
Use LVM to set up your partitions. This can be done in the installer.
Have your overall hierarchy look like this:
Raw disk (/dev/sda)
|
LUKS partition (/dev/sdaX) + /boot partition (likely /dev/sda1)
|
LVM Physical Volume (/dev/LVM)
|
LVM Logical Volumes (/dev/LVM/root mounted as /, and /dev/LVM/swap
mounted as /swap)
Long version:
Here is an example of how an encrypted LVM partition can look. We will
look at how I have it set up.
First, output of lsblk:
matthew@matt-tower:~$ lsblk /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 953.7M 0 part /boot
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 464.8G 0 part
└─sda5_crypt 254:0 0 464.8G 0 crypt
├─root--swap-root 254:1 0 447G 0 lvm /
└─root--swap-swap 254:2 0 17.8G 0 lvm [SWAP]
sda1 is /boot (necessary as encrypted /boot is not really possible right
now), sda2 is an unused 1K partition (necessary due to partitioning
oddities, don't worry about it), and sda5 is my actual encrypted
partition. sda5 then has a LUKS encrypted partition called sda5_crypt.
Within the LUKS partition, is a LVM group called root-swap, which we can
see when we run pvdisplay::
matthew@matt-tower:~$ sudo pvdisplay
--- Physical volume ---
PV Name /dev/mapper/sda5_crypt
VG Name root-swap
PV Size 464.83 GiB / not usable 2.00 MiB
Allocatable yes (but full)
PE Size 4.00 MiB
Total PE 118995
Free PE 0
Allocated PE 118995
PV UUID XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
Within this LVM group are two sub partitions, which act as my /root and
/swap partitions.
matthew@matt-tower:~$ sudo lvdisplay
--- Logical volume ---
LV Path /dev/root-swap/root
LV Name root
VG Name root-swap
LV UUID XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
LV Write Access read/write
LV Creation host, time matt-tower, 2018-06-25 10:24:13 -0700
LV Status available
# open 1
LV Size 447.04 GiB
Current LE 114441
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 254:1
--- Logical volume ---
LV Path /dev/root-swap/swap
LV Name swap
VG Name root-swap
LV UUID XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
LV Write Access read/write
LV Creation host, time matt-tower, 2018-06-25 10:24:19 -0700
LV Status available
# open 2
LV Size 17.79 GiB
Current LE 4554
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 254:2
Lastly, the output of my /etc/crypttab and /etc/fstab
matthew@matt-tower:~$ cat /etc/crypttab
sda5_crypt UUID=ea2034e1-c550-466c-b9a4-61c40f0891b6 none luks
matthew@matt-tower:~$ cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/root--swap-root / ext4
discard,errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=5c24b6a3-f1ec-42b7-9d03-251295853167 /boot ext2
noatime,nodiratime 0 2
/dev/mapper/root--swap-swap none swap sw 0
0
Here is the overall hierarchy:
Raw disk (/dev/sda)
|
LUKS partition (/dev/sda5)
|
LVM Physical Volume (/dev/root-swap)
|
LVM Logical Volumes (/dev/root-swap/root mounted as /, and
/dev/root-swap/swap mounted as /swap)
At boot time, /boot is automatically mounted, and when it is time to
mount /, it will ask for the LUKS partition password. Once unlocked, it
will mount the LVM physical volume, then subsequently mount both LVM
logical volumes in one swoop. One password for two logical partitions.
b) Read the manpage for cryptsetup. It has everything you need to
understand how LUKS encryption works.
Cheers,
-Matt
