如何使用脚本自动挂载 Luks 加密驱动器

Question

How would I do this with Python or bash script:

admin_pass ="admin pass"
drive_password = "password"
auto_mount_path = "/dev/sdc1"
mount_point = "backups1"

sudo cryptsetup luksOpen auto_mount_path mount_point
admin_pass
drive_password

I want the script to mount the encrypted drive without user having to enter the password or admin pass.

Is it possible with bash or Python?

Thanks

Answer 1

You don't need a script. You have everything on board in your system. And you said your system drive is also encrypted so we can put our files there without risking that the passphrase of your storage drive will be compromised.

I remember that I have done this with a passphrase years ago too. But the easier way is by using a keyfile and by that you also have a second keyslot in your LUKS file as backup to be able to open your encrypted storage if you forget your passphrase.

In short: You will need the terminal, something like leafpad opened with root rights, 10min of your time – maybe a few minutes more for starters – and the following instructions:

All choosen names (keyfile, decrypted drivename, mountpoint) can be defined by yourself. They are just an example to understand where to put the names.

To set up a unique keyfile you use your terminal

~$ sudo -i
~# dd if=/dev/urandom of=/root/storage.keyfile bs=8 count=256
~# chown root:root /root/storage.keyfile
~# chmod 000 /root/storage.keyfile

Leave the terminal open. There is more to do... Now we put this keyfile into a free keyslot of your encrypted storage drive. Look up your storage drive first.

~# lsblk -f

Let's asume your storage drive is /dev/sdc1 as you quoted in your script.

~#cryptsetup -v luksAddKey /dev/sdc1 /root/storage.keyfile

You have to enter your passphrase to let cryptseptup do the adding.

Then you open up /etc/crypttab with leafpad (or similar) with root rights to be able to read and write – it will be also easier to copy the UUID of your drive into leafpad (or similar) from your terminal. We will use the UUID of your storage drive as its unique id because it is possible that your system changes the position of your drive during a boot and then your automated process won't find it under the old path.

With ~# lsblk -f you should find the UUID of /dev/sdc1 . It looks like 5f2add0f-d41e-250e-acc7-38512658a26d .

Mark the UUID and copy it. The first entry in /etc/crypttab is the name of your opened storage drive. You can choose it like you want but without spaces or special characters. Keep it simple.

After that comes the path with the UUID . Then the keyfile and the options. Your /etc/crypttab should be looking like this in the end:

backups1-SSD   /dev/disk/by-uuid/5f2add0f-d41e-250e-acc7-38512658a26d   /root/storage.keyfile   luks

You can save the /etc/crypttab now.

Then you open up /etc/fstab like you did with the crypttab and you are almost finished.

Put another line into it. For the mount point of your opened storage drive I use the same of your script example assuming that folder will be in your home drive and your drive is ext4 . The new line in your /etc/fstab should look like this:

/dev/mapper/backups1-SSD   /home/Emily/backups1   ext4   defaults   0 0

Save the file and you are done. You can close the terminal and leafpad.

You can reboot your system now to test the automated process. After the login you should find your encrypted storage drive opened and mounted at /home/Emily/backups1 .

For newbies: You don't need to close your opened drives when you shutdown your computer. Your system will do it for you.