Title: Encrypt Disk (with LUKS and btrfs) Subject: Encrypt external disk: you plug it in, enter a password, and your filesystem is accessabile #--------------------------- REFS: https://gist.github.com/MaxXor/ba1665f47d56c24018a943bb114640d7 https://en.wikipedia.org/wiki/Device_mapper https://unix.stackexchange.com/questions/225108/how-to-automate-cryptsetup-luksaddkey-with-passphrase https://askubuntu.com/questions/236681/filesystem-label-rename # Cleanup old mapper if it exists sudo dmsetup remove /dev/mapper/encrypted_disk # Create key dd bs=64 count=1 if=/dev/urandom of=./cryptkey iflag=fullblock chmod 600 ./cryptkey # Encrypt devices: cryptsetup -v --batch-mode -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sdb ./cryptkey # Backup LUKS header: cryptsetup luksHeaderBackup --header-backup-file ./sdb.header.bak /dev/sdb # Manually unlock: sudo cryptsetup open --key-file=./cryptkey --type luks /dev/sdb encrypted_disk ls -tlr /dev/mapper/ # total 0 # crw-rw---- 1 root root 10, 236 Sep 8 07:19 control # lrwxrwxrwx 1 root root 7 Sep 11 06:54 encrypted_disk -> ../dm-0 # Create filesystem: mkfs.btrfs /dev/mapper/encrypted_disk # # btrfs-progs v5.4.1 # See http://btrfs.wiki.kernel.org for more information. # # Label: (null) # UUID: 0e702c2e-12e7-461a-9ada-aaf5cecf2d43 # Node size: 16384 # Sector size: 4096 # Filesystem size: 953.85GiB # Block group profiles: # Data: single 8.00MiB # Metadata: DUP 1.00GiB # System: DUP 8.00MiB # SSD detected: no # Incompat features: extref, skinny-metadata # Checksum: crc32c # Number of devices: 1 # Devices: # ID SIZE PATH # 1 953.85GiB /dev/mapper/encrypted_disk # Show it blkid -t TYPE=crypto_LUKS # # /dev/sdb: UUID="51057812-e2d5-4d0b-94fa-e994071eeaca" TYPE="crypto_LUKS" # # View the state of things lsblk /dev/sdb # NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT # sdb 8:16 0 953.9G 0 disk # \-encrypted_disk 253:0 0 953.9G 0 crypt # sr0 11:0 1 1024M 0 rom # Test Mount mkdir /mnt/encrypted_disk mount -t btrfs -o defaults,noatime,compress=zstd /dev/mapper/encrypted_disk /mnt/encrypted_disk # Create password file: printf "mypassword" > password_file # Add a new passphrase with the command: cryptsetup luksAddKey --key-file=cryptkey /dev/sdb password_file # Add another passphrase Option1: cryptsetup luksAddKey /dev/sdb # Add another passphrase Option2: printf "mypassword2" > password_file2 cryptsetup luksAddKey --key-file=password_file /dev/sdb password_file2 # Add a new passphrase with the command: cryptsetup luksAddKey --key-file=cryptkey /dev/sdb password_file # # BTRFS STUFF # # Pull it out # Pop it in # Don't let the OS mount it for you (just close the password prompt) # Create decrypted device mapping cryptsetup luksOpen /dev/sdb encrypted_disk # Enter password # Creates: /dev/mapper/encrypted_disk mkdir /mnt/encrypted_disk mount /dev/mapper/encrypted_disk /mnt/encrypted_disk # Change the label of the disk df -h btrfs filesystem label encrypted_disk sync # Pull it out # Pop it in # Create a subvolume BTRFS_MOUNT_POINT="/media/$(username)/encrypted_disk" pushd "${BTRFS_MOUNT_POINT}" # Create subvolume btrfs subvolume create sub1 # Snapshot subvolume sub1 btrfs subvolume snapshot sub1 sub1_20200911.snapshot # Shapshot subvolume sub1 btrfs subvolume snapshot sub1 sub1_20200912.snapshot # List subvolumes btrfs subvolume list . # # ID 257 gen 55 top level 5 path sub1 # ID 259 gen 55 top level 5 path sub1_20200911.snapshot # ID 261 gen 56 top level 5 path sub1_20200912.snapshot # # # List subvolumes # btrfs subvolume list /media/demouser/encrypted_disk ID 257 gen 68 top level 5 path sub1 ID 259 gen 68 top level 5 path sub1_20200911.snapshot ID 261 gen 68 top level 5 path sub1_20200912.snapshot # # Set default volume for next mount # btrfs subvolume set-default 257 /media/demouser/encrypted_disk # fstab automound #/dev/mapper/encrypted_disk /mnt/encrypted_disk btrfs defaults,noatime,compress=zstd 0 2 # Auto unlock: #/etc/crypttab # encrypted_disk UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ./cryptkey luks,noearly #,discard (for SSDs)