User talk:Kete

From ArchWiki
Jump to: navigation, search

encrypt raid /home

Hi kete, I see your BBS thread. Yes, we are missing instructions for encrypted raid. I write this because I believe the new Dm-crypt/Mounting_at_login approach may be pretty inflexible for your case, perhaps even very tricky obstacles in systemd ahead due to the underlying raid. If your /home raid is still functional (unencrypted), you are probably much better off to convert it fully. In the pastebin below I show you a "quick-and-dirty" approach for converting an existing raid, mounted at /home/user/testraid (yes, you can apply it to a /home mount as well) to an encrypted one. If you follow the instructions, backup data before!!!

The approach is based on Dm-crypt/Device_encryption#Re-encrypting_devices. If you follow them through, you should be prompted for a passphrase to unlock the /home mount during boot (one passphrase for all users, not on user login). Be careful not to mistype the passphrase, better choose a simple one and change it later to a proper one (cryptsetup luksChangeKey). You find it the approach at: NB the first # nano crypttab at the end is wrong, has to be # nano /etc/crypttab of course. Hope it helps. --Indigo (talk) 11:15, 15 March 2016 (UTC)

Thanks for your guidance, I glanced at Ubuntu, and I don't think they support encrypted RAID either.
Ok, RAID is too complex for unlocking LUKS at login.
I think my RAID is no longer formatted because I've stopped and removed it, so I might not need the reencrypt which I used to decrypt the LUKS. I'll check before encrypting.
I am supposed to just set up the RAID and encrypt it using /etc/crypttab like the wiki probably says.
Instead of a /home mount point, I was dabbling with a /home/kete mount point for the automatic login: not sure which mount point I'll use next. –Kete (talk) 12:54, 16 March 2016 (UTC)
>I am supposed to just set up the RAID and encrypt it using /etc/crypttab like the wiki probably says.
Yeah, exactly. As long as your raid does not cover the system's root filesystem, you only need to follow Dm-crypt/Encrypting a non-root file system#Partition, pointing the cryptsetup luksFormat at the /dev/mdX device of the active raid, and (analogous to the pastebin) Dm-crypt/Encrypting a non-root file system#At boot time crypttab/fstab entries to let systemd ask for the passphrase at boot. Closing this. --Indigo (talk) 18:07, 16 March 2016 (UTC)