Created
May 20, 2019 12:36
-
-
Save loadenmb/e597670369f0d3454b0f3f990d748475 to your computer and use it in GitHub Desktop.
Create auto mount of luks encrypted volume on system start
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| # create auto mount of luks encrypted volume on system start | |
| # scripts requirements: cryptsetup (luks), awk, grep, dd | |
| # files changed by script: /etc/crypttab, /etc/fstab | |
| # files created by script: DRIVE_PATH (mount path) | |
| # tested on: debian stretch | |
| # set configuration & chmod +x this script ;) & run this script | |
| # see: https://blog.tinned-software.net/automount-a-luks-encrypted-volume-on-system-start/ | https://linuxwiki.de/cryptsetup | |
| # list hard drives to get your DRIVE_ID | |
| # lsblk | |
| ## | |
| ## <configuration> | |
| ## | |
| DRIVE_ID="sda3" # drive id. see "lsblk" output | |
| DRIVE_PATH="/media/storage1/" # path to mount drive (use / as last char) | |
| KEY_PATH="/etc/cryptkeys/" # path to store drive key (use / as last char) | |
| ## | |
| ## </configuration> | |
| ## | |
| if [ $(whoami) != "root" ]; then | |
| echo "luks auto mount: root privilegs are required. do 'su'" | |
| exit 1 | |
| fi | |
| echo "luks auto mount: create mount point at path ${DRIVE_PATH} for encrypted drive ${DRIVE_ID} with key ${KEY_PATH}${DRIVE_ID}" | |
| # create key directory if not exist | |
| if [ ! -e "${KEY_PATH}" ]; then | |
| mkdir -p "${KEY_PATH}" | |
| fi | |
| # create random key - required to unlock volumne | |
| dd if=/dev/urandom of="${KEY_PATH}${DRIVE_ID}" bs=512 count=8 | |
| # only allow root / group to read key file | |
| chmod 640 "${KEY_PATH}${DRIVE_ID}" | |
| # add created key to cryptsetup for our luks device | |
| cryptsetup -v luksAddKey "/dev/${DRIVE_ID}" "${KEY_PATH}${DRIVE_ID}" | |
| # remove key from crypt drive and delete it with (set vars in shell before): cryptsetup -v luksRemoveKey /dev/${DRIVE_ID} "${KEY_PATH}${DRIVE_ID}" && rm ${KEY_PATH}${DRIVE_ID} | |
| # get cryptsetup luks drive id | |
| UUID=$(cryptsetup luksDump "/dev/${DRIVE_ID}" | grep "UUID" | awk -v N=2 '{print $N}') | |
| # add volume to crypttab - required to automatically encrypt volume | |
| echo "${DRIVE_ID}_crypt UUID={UUID} ${KEY_PATH}${DRIVE_ID} luks" >> /etc/crypttab | |
| # create drive mount path if not exist | |
| if [ ! -e "${KEY_PATH}" ]; then | |
| mkdir -p "${DRIVE_PATH}" | |
| fi | |
| # add volume to fstab - required to automatically mount the encrypted volume on system start | |
| echo "/dev/mapper/${DRIVE_ID}_crypt ${DRIVE_PATH} ext4 defaults 0 2" >> /etc/fstab | |
| echo "luks auto mount: reboot your system please" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment