The Blog of Tom Webster
Chronic Ranter, Reviewer, and Developer. I speak only for myself, opinions are my own.
If you have a Linux machine with and SSD for one part of the filesystem, but need HDDs for the large storage capacity, encryption can become a pretty huge pain.
If you encrypt multiple filesystems across multiple disks, LVM is the proper choice, but you have a solid state disk you want to keep for it’s intended purpose: Booting your system quickly and making applications launch as fast as possible. If you keep all drives in LVM, some data will end up on physical volumes and slow your rig down.
So how do we boot our system without needing two or more LUKS passphrases on boot? How do we make it so one password rules them all?
Enter crypttab.
/etc/crypttab is like fstab for your encrypted filesystem
components, and it’s really easy to get the hang of. Just a
disclaimer: Using a single LUKS passphrase to unlock all drives is
technically less safe than using a different passphrase for each
drive, but it is way more convenient. That’s the ever-long battle:
Convenience vs Security.
If you have cryptsetup
installed, you should have /etc/crypttab in place already, just with
everything commented out. The provided examples make this pretty easy
to figure out:
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
From this file, we can see that the LUKS volume named home has a
specific UUID and a keyfile located at /etc/mypasswd1. The swap
LUKS volume is encrypted randomly on each boot by /dev/urandom. The
vol LUKS volume has none in the password field, meaning it will
ask you for a password at mount time.
With crypttab, we can use the combination of a single passphrase for
the root drive (your SSD), then keyfiles for the rest of the encrypted
hard drives.
/dev/urandom and make a 5MB base64-encoded keyfile. While it
would be more secure to use /dev/random, this will take a very
very long time. Use it if you feel it is neccessary, but keep in
mind, this is a single-passphrase boot, if your passphrase is poor,
no amount of /dev/random will save you.
dd if=/dev/urandom bs=1M count=5 | base64 > ~/.HDDkeycryptsetup luksFormat -d ~/.HDDkey /dev/sdecryptsetup luksOpen -d ~/.HDDkey /dev/sdd BigStoragemkfs.ext4 -L BigStorage /dev/mapper/BigStoragecryptsetup luksClose BigStorageblkid/dev/sde.c7792c2a-78fb-425a-8971-6df1c5d5b79c./etc/crypttab so it will
automatically unlock /dev/sde when the /etc filesystem is
available:
BigStorage UUID=c7792c2a-78fb-425a-8971-6df1c5d5b79c
/home/samurailink3/.HDDkeyBigStorage is going to be the name of the LUKS device exposed
in /dev/mapper./etc/fstab should look like if you want to
mount it somewhere specific, with user and exec access.
/dev/mapper/BigStorage /run/media/samurailink3/BigStorage ext4
user,exec 0 0/run/media/samurailink3/BigStorage/. What I like to do is
symlink out folders from my existing home directory to the larger drive
for big files that don’t need fast access, like video files or music.
Here’s an ls -l ~ for an example:lrwxrwxrwx 1 samurailink3 samurailink3 44 May 24 09:33 SteamLibrary -> /run/media/samurailink3/BigData/SteamLibrary
lrwxrwxrwx 1 samurailink3 samurailink3 35 May 24 09:33 tmp -> /run/media/samurailink3/BigData/tmp
lrwxrwxrwx 1 samurailink3 samurailink3 38 May 24 09:33 Videos -> /run/media/samurailink3/BigData/Videos
Now you have all of your system drives encrypted, with one passphrase. Pretty convenient and way more secure than running with just one drive encrypted.
When I need to concentrate and get some hardcore, head-down work done, I employ the use of what I call “Distraction Killers”. A collection of sound generators to help get me in the zone mentally.
Ambiance: Available on Windows, OSX, iOS, and Android. This app gives you access to a complete library of free downloadable sounds that you can listen to individually or mix together to make your own distraction killer. Be careful with this one, I’ve gotten distracted by the sheer amount of sounds and mixes before. Really awesome app, I wish the Android version would get a visual overhaul (it really needs it), but the functionality is still there.
MyNoise.net: A huge collection of free noise generators (and some paid ones if you would like to contribute). From Jungle Life to Number Stations to Sounds from the USS Enterprise, MyNoise.net has just about everything you would want in noise generators (and they add more all the time). These sounds are very well produced and the online player comes with an “animate” feature, that subtly changes the sounds around you, so they don’t become too repetitive. I highly recommend this site if you need to sit down and get some work done.
RainyCafe.com: A very simple site with two buttons: One turns on Rain sounds, the other turns on Cafe sounds. I go here quite a bit because it has the best cafe ambiance I’ve found (the rain isn’t half-bad either).
SOUNDROWN: A simple site with a great twist: You get five sounds to turn on or off and mix the volumes as you see fit. Choose from Coffee Shop, Rain, Waves, Fire, and Birds, mix them together to make a pretty unique ambiance. I don’t use this as much as the others on this list.
Rainy Mood: This list simply wouldn’t be complete without Rainy Mood. The very best rain/thunderstorm sounds anywhere. I use this every night when I sleep and at work most days to drown out the activity around me. It’s well-looped, expertly produced, and is a beautiful (yet simple) website as well. They also put out apps for all the major platforms that I rely on all the time. As an added bonus, their fans have suggested music to go along with the great rain ambiance, and they’re listed right at the bottom of the page. I’ve listed some of my favorites below.
Fireplace: Very simple, just a fireplace with sound.
Piano cover of Where Is My Mind by the Pixies: Slow enough to not be distracting, but not so suble that it blends into the background.
The Fragrance of Dark Coffee : Quite possibly the classiest thing I will ever put on this blog. Slow, jazzy, saxaphone. Turn on Rainy Mood, set this song to loop, and pour yourself the most expensive scotch you have on hand. This is by far, my favorite combination.
A couple days ago I came across this link which is really helpful. A one-page reference for TONS of *nix commands. Everything from SSH tricks, to database commands, to encryption is here. Pretty handy!
Just a caveat: In the ssh section, don’t use DSA keys, use ED25519 or RSA (4096 bit) keys. I imagine some of this information is older, keep an eye out.
In case you wanted to use this site’s theme easily, I’ve made a deployable version. It is literally this site, but with all of my posts/pages and data removed. Easy to check out and get started. I have kept the rake tasks in there to make it easy to get started, and modified the readme to walk you through how the site functions. Hope it’s useful!
The Linux Foundation has put out a pretty stellar checklist dealing with Linux workstation security. Covers everything from the obvious to the truly paranoid. Well worth the read.