If you have a Linux machine with and SSD for one part of the filesystem, but need HDDs for the large storage capacity, encryption can become a pretty huge pain.
If you encrypt multiple filesystems across multiple disks, LVM is the proper choice, but you have a solid state disk you want to keep for it’s intended purpose: Booting your system quickly and making applications launch as fast as possible. If you keep all drives in LVM, some data will end up on physical volumes and slow your rig down.
So how do we boot our system without needing two or more LUKS passphrases on boot? How do we make it so one password rules them all?
/etc/crypttab is like
fstab for your encrypted filesystem
components, and it’s really easy to get the hang of. Just a
disclaimer: Using a single LUKS passphrase to unlock all drives is
technically less safe than using a different passphrase for each
drive, but it is way more convenient. That’s the ever-long battle:
Convenience vs Security.
If you have cryptsetup
installed, you should have
/etc/crypttab in place already, just with
everything commented out. The provided examples make this pretty easy
to figure out:
# <name> <device> <password> <options> # home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1 # data1 /dev/sda3 /etc/mypassword2 # data2 /dev/sda5 /etc/cryptfs.key # swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 # vol /dev/sdb7 none
From this file, we can see that the LUKS volume named
home has a
specific UUID and a keyfile located at
LUKS volume is encrypted randomly on each boot by
vol LUKS volume has
none in the password field, meaning it will
ask you for a password at mount time.
crypttab, we can use the combination of a single passphrase for
the root drive (your SSD), then keyfiles for the rest of the encrypted
/dev/urandomand make a 5MB base64-encoded keyfile. While it would be more secure to use
/dev/random, this will take a very very long time. Use it if you feel it is neccessary, but keep in mind, this is a single-passphrase boot, if your passphrase is poor, no amount of
/dev/randomwill save you.
dd if=/dev/urandom bs=1M count=5 | base64 > ~/.HDDkey
cryptsetup luksFormat -d ~/.HDDkey /dev/sde
cryptsetup luksOpen -d ~/.HDDkey /dev/sdd BigStorage
mkfs.ext4 -L BigStorage /dev/mapper/BigStorage
cryptsetup luksClose BigStorage
/etc/crypttabso it will automatically unlock
/etcfilesystem is available:
BigStorage UUID=c7792c2a-78fb-425a-8971-6df1c5d5b79c /home/samurailink3/.HDDkey
BigStorageis going to be the name of the LUKS device exposed in
/etc/fstabshould look like if you want to mount it somewhere specific, with user and exec access.
/dev/mapper/BigStorage /run/media/samurailink3/BigStorage ext4 user,exec 0 0
/run/media/samurailink3/BigStorage/. What I like to do is symlink out folders from my existing home directory to the larger drive for big files that don’t need fast access, like video files or music. Here’s an
ls -l ~for an example:
lrwxrwxrwx 1 samurailink3 samurailink3 44 May 24 09:33 SteamLibrary -> /run/media/samurailink3/BigData/SteamLibrary lrwxrwxrwx 1 samurailink3 samurailink3 35 May 24 09:33 tmp -> /run/media/samurailink3/BigData/tmp lrwxrwxrwx 1 samurailink3 samurailink3 38 May 24 09:33 Videos -> /run/media/samurailink3/BigData/Videos
Now you have all of your system drives encrypted, with one passphrase. Pretty convenient and way more secure than running with just one drive encrypted.
When I need to concentrate and get some hardcore, head-down work done, I employ the use of what I call “Distraction Killers”. A collection of sound generators to help get me in the zone mentally.
Ambiance: Available on Windows, OSX, iOS, and Android. This app gives you access to a complete library of free downloadable sounds that you can listen to individually or mix together to make your own distraction killer. Be careful with this one, I’ve gotten distracted by the sheer amount of sounds and mixes before. Really awesome app, I wish the Android version would get a visual overhaul (it really needs it), but the functionality is still there.
MyNoise.net: A huge collection of free noise generators (and some paid ones if you would like to contribute). From Jungle Life to Number Stations to Sounds from the USS Enterprise, MyNoise.net has just about everything you would want in noise generators (and they add more all the time). These sounds are very well produced and the online player comes with an “animate” feature, that subtly changes the sounds around you, so they don’t become too repetitive. I highly recommend this site if you need to sit down and get some work done.
RainyCafe.com: A very simple site with two buttons: One turns on Rain sounds, the other turns on Cafe sounds. I go here quite a bit because it has the best cafe ambiance I’ve found (the rain isn’t half-bad either).
SOUNDROWN: A simple site with a great twist: You get five sounds to turn on or off and mix the volumes as you see fit. Choose from Coffee Shop, Rain, Waves, Fire, and Birds, mix them together to make a pretty unique ambiance. I don’t use this as much as the others on this list.
Rainy Mood: This list simply wouldn’t be complete without Rainy Mood. The very best rain/thunderstorm sounds anywhere. I use this every night when I sleep and at work most days to drown out the activity around me. It’s well-looped, expertly produced, and is a beautiful (yet simple) website as well. They also put out apps for all the major platforms that I rely on all the time. As an added bonus, their fans have suggested music to go along with the great rain ambiance, and they’re listed right at the bottom of the page. I’ve listed some of my favorites below.
Fireplace: Very simple, just a fireplace with sound.
Piano cover of Where Is My Mind by the Pixies: Slow enough to not be distracting, but not so suble that it blends into the background.
The Fragrance of Dark Coffee : Quite possibly the classiest thing I will ever put on this blog. Slow, jazzy, saxaphone. Turn on Rainy Mood, set this song to loop, and pour yourself the most expensive scotch you have on hand. This is by far, my favorite combination.
A couple days ago I came across this link which is really helpful. A one-page reference for TONS of *nix commands. Everything from SSH tricks, to database commands, to encryption is here. Pretty handy!
Just a caveat: In the ssh section, don’t use DSA keys, use ED25519 or RSA (4096 bit) keys. I imagine some of this information is older, keep an eye out.
In case you wanted to use this site’s theme easily, I’ve made a deployable version. It is literally this site, but with all of my posts/pages and data removed. Easy to check out and get started. I have kept the rake tasks in there to make it easy to get started, and modified the readme to walk you through how the site functions. Hope it’s useful!
The Linux Foundation has put out a pretty stellar checklist dealing with Linux workstation security. Covers everything from the obvious to the truly paranoid. Well worth the read.