Create Encrypted Disk and Mount Automatically
For headless server, we need automatically unlock LUKS encrypted drives after reboot.
List Disks
lsblk -o NAME,UUID,SIZE,FSTYPE,TYPE,MOUNTPOINT
Install cryptsetup
sudo apt install cryptsetup
Create LUKS Disk
sudo cryptsetup --verbose --verify-passphrase --cipher=aes-xts-plain64 --hash=sha512 luksFormat {{ device.value }}
Create a random keyfile
sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo chmod 0400 /root/keyfile
Add the keyfile to LUKS
sudo cryptsetup luksAddKey {{ device.value }} /root/keyfile
Create device mapper
sudo {{ texteditor.value }} /etc/crypttab
add this line
{{ mappername.value }} UUID={{ uuid.value }} /root/keyfile luks
or using this one line command
echo '{{ mappername.value }} UUID={{ uuid.value }} /root/keyfile luks' | sudo tee -a /etc/crypttab
Reboot and check encrypted disk is automatically decrypted using the key file
sudo reboot
lsblk -o NAME,UUID,SIZE,FSTYPE,TYPE,MOUNTPOINT
sudo cryptsetup luksDump {{ device.value }}
format disk using device mapper name
sudo mkfs.ext4 /dev/mapper/{{ mappername.value }}
mount disk using device mapper name
sudo {{ texteditor.value }} /etc/fstab
add this line
/dev/mapper/{{ mappername.value }} {{ mountpath.value }} ext4 {{ mount_option.value }} 0 0
or using this one line command
echo '/dev/mapper/{{ mappername.value }} {{ mountpath.value }} ext4 {{ mount_option.value }} 0 0' | sudo tee -a /etc/fstab
mount now and check
sudo mkdir -p {{ mountpath.value }}
sudo mount -a
df -h -x devtmpfs -x tmpfs
or you may mount by UUID