• Automatically unlock a LUKS encrypted on a non root partition
• Preamble
• Install necessary tools
• Configure the LUKS partition
• Initiate the LUKS partition
• Format the LUKS partition
• Create random key file
• Secure the key file
• Add the keyfile to LUKS
• Create a mapper for LUKS device
• Create an fstab entry
• Enable clevis-luks-askpass.path
• Reboot and test

→ Automatically unlock a LUKS encrypted on a non root partition

→ Preamble

This document explains how to configure LUKS encryption on a non boot disk using a key stored in /root. This assumes that your root partition is encrypted to ensure the key is completely secured at an at rest state. We will consider /dev/sdb1 to be the secondary partition in this article. It is also assumed that your partition is already created.

→ Install necessary tools

yum install -y cryptsetup-luks

→ Configure the LUKS partition

cryptsetup luksFormat --type luks2 /dev/sdb1

→ Initiate the LUKS partition

cryptsetup luksOpen /dev/sdb1 backups

→ Format the LUKS partition

dd if=/dev/zero of=/dev/mapper/backups && mkfs.ext4 /dev/mapper/backups

→ Create random key file

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

→ Secure the key file

chmod 0400 /root/keyfile

→ Add the keyfile to LUKS

cryptsetup luksAddKey /dev/sdb1 /root/keyfile

→ Create a mapper for LUKS device

echo "backups /dev/sdb1 /root/keyfile luks" >> /etc/crypttab

→ Create an fstab entry

echo "/dev/mapper/backups /backups ext4 defaults 0 2" >> /etc/fstab

→ Enable clevis-luks-askpass.path

systemctl enable clevis-luks-askpass.path

→ Reboot and test

shutdown -r now

---

[home][about][stats][source][contact][cookies][privacy]

---