Encrypted Removable Storage

From Wiki³
Revision as of 00:04, 21 July 2019 by Kyau (talk | contribs) (→‎Keyfile)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Use an SD Card or USB flash drive in order to bolster your disk space is never a bad idea. It can be a great place to storage things that you need between machines (files too big for constant transfer over the network) or for just general storage. This will take you through adding one with LUKS and ext4 in order to hopefully keep your data safe and free from corruption.
First re-partition the drive, for all of the examples in this tutorial I will be using an SD Card. If I refer to something as SD Card just think of this as the drive you are using. You will also need to locate the proper device node for the drive you are using, mine just so happens to be /dev/mmcblk0. You can find the device node with lsblk.

Icon Partitioning

It might be necessary to install the proper package for GPT disk management.

# pikaur -S gptfdisk

Begin by partitioning the disk, for simplicity I will do a single partition scheme.

Wipe the current partition table and create a new GPT partition table with protected MBR.

# sudo sgdisk -Z -o /dev/mmcblk0

Create the necessary partition and give it a label.

# sudo sgdisk -n 1:0:-0 -t 1:8300 -c 1:"SD Card" /dev/mmcblk0


Setup LUKS on the SD Card; confirm to erase by typing YES (take note of the caps) and then set a password.

# sudo cryptsetup --type luks2 -q -I hmac-sha512 -c aes-xts-plain64 -l 512 -h sha512 --pbkdf argon2i --pbkdf-force-iterations 4 --pbkdf-memory 1048576 --pbkdf-parallel 1 --label sdcard --subsystem "" --use-random luksFormat /dev/mmcblk0p1
IconWARNING: DO NOT forget the password to the partition or all of the data inside will be irretrievable!

Decrypt the LUKS partition, giving it a name. For the tutorial I will use sdcard.

# sudo cryptsetup luksOpen --type luks2 /dev/mmcblk0p1 sdcard

Icon Formatting

For the filesystem I will be using F2FS (Flash-Friendly File System). F2FS, originally developed by Samsung, is a file system intended for NAND-based flash memory equipped with Flash Transition Layer. However if you would like to use ext4 instead that option is available.

Icon F2FS

First make sure f2fs-tools is installed.

# pikaur -S f2fs-tools

Then format the decrypted LUKS container.

# sudo mkfs.f2fs /dev/mapper/sdcard

Icon ext4

First format the decrypted LUKS container.

# sudo mkfs.ext4 /dev/mapper/sdcard

Tune the filesystem to remove the journal and put it into writeback mode.

# sudo tune2fs -o journal_data_writeback /dev/mapper/sdcard
# sudo tune2fs -O ^has_journal /dev/mapper/sdcard
# sudo e2fsck -f /dev/mapper/sdcard

Icon Keyfile

If you are already using LUKS for full system encryption you can store a keyfile on your encrypted system to auto-unlock your removable media.

Create a keyfile for the SD Card in the root folder and set the proper permissions.

# sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
# sudo chmod 0400 /root/sdcard.keyfile

Then add the keyfile to the LUKS partition.

# sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/sdcard.keyfile

Finally add the keyfile to /etc/crypttab, so that decryption happens on boot.

filename: /etc/crypttab
sdcard UUID=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxx /root/sdcard.keyfile
IconThe command :r !blkid -s UUID -o value /dev/mmcblk0p1 will get the UUID of the device and input it into the current document.

Icon Decrypt/Mount on Boot

Make a folder for your drive and set your current user to the owner.

# sudo mkdir /mnt/sdcard && sudo chown kyau:users /mnt/sdcard

Add a line to /etc/fstab so that it also gets automatically mounted on boot.

# sudoedit /etc/fstab


/dev/mapper/sdcard /mnt/sdcard f2fs rw,noatime,nodiratime,active_logs=6 0 0


/dev/mapper/sdcard /mnt/sdcard ext4 defaults,noatime,nodiratime,data=writeback 0 0