Will's avatar
Will Webberley
📣 toots 🖼️ photos 💻 code

Note list

Books Email client (aerc) Obsidian Uses nb jrnl Tailscale Sidecars Vaultwarden Photoprism Podcasts Cloudfront + S3 PostgreSQL MongoDB Links Hosting S3 content via Bunny CDN Woodpecker CI Hosting on Bunny.net Server & database backups Selfhosting Joplin Raspberry Pi Setting-up a Mac Donations 2FAuth Managing s3cmd profiles 🌱 About these notes Gitea Encrypting volumes with LUKS Nextcloud Nitter Teddit FreshRSS Traefik Umami Fixing unzip on Alpine Linux Monica Plain Text Accounting Design Ideas Geminispace

Encrypting volumes with LUKS

This note was last updated on 28 September 2022

🔮 This note is also available via Gemini.

technology selfhost

For sensitive data storage in the cloud, I will usually provision a separate volume, encrypt it, and then use this as the volume mapper for containerised services.

Creating and attaching a volume

I use Linode to host the vast majority of my services. In Linode, new volumes can be easily created and attached to an instance.

After a short while the instance will then recognise the new device and make it available via the OS.

Encrypting the volume

This note assumes your attached volume is mapped as /dev/sdc by your system. You can check this using lsblk.

This note also assumes you have cryptsetup installed. On Alpine Linux, you can install it with apk add cryptsetup.

Step 1: Create a LUKS partition:

cryptsetup luksFormat /dev/sdc

Enter the passphrase, etc.

Step 2: Open the partition, entering your passphrase, and provide a “mapper”:

cryptsetup luksOpen /dev/sdc mydata

Step 3: Now, create a new filesystem. E.g. for ext4:

mkfs.ext4 /dev/mapper/mydata

Step 4: Mount the new filesystem:

mkdir /data
mount /dev/mapper/mydata /data

Step 5: Create a new encryption key and mark it as readonly:

echo "complex string" > /root/data-key
chmod 0400 /root/data-key

Step 6: Add the key to the LUKS setup:

cryptsetup luksAddKey /dev/sdc /root/data-key

Step 7: Get the UUIDs for the devices by running lsblk -f. You’ll need these for the next steps.

Step 8: Set-up the crypttab by editing /etc/crypttab and adding:

mydata    UUID=<LUKS UUID>    /root/data-key    luks

(where <LUKS UUID> is the UUID for the LUKS device from above).

This ensures the volume is correctly decrypted at boot.

Note: on Alpine Linux there is no crypttab. Instead refer to the section below.

Step 9: Finally, add an entry for the decrypted volume in /etc/fstab:

UUID=<ext4 UUID>   /data  ext4   defaults	0	0

This auto-mounts the decrypted filesystem to /data on boot. For <ext4 UUID> use the UUID for the filesystem itself that you obtained earlier.

Auto-decrypting on Alpine Linux

Alpine doesn’t use a crypttab to manage the decryption at boot-time. Instead add the following to /etc/conf.d/dmcrypt:

target=mydata
source='/dev/sdc'
key='/root/data-key'

And then enable the service at boot:

rc-update add dmcrypt boot

Viewing properties

Run cryptsetup luksDump /dev/sdc to view the encryption properties. E.g.:

	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id