cryptsetup

For headless server, we need automatically unlock LUKS encrypted drives after reboot.

List Disks

lsblk -o NAME,UUID,SIZE,FSTYPE,TYPE,MOUNTPOINT

Install cryptsetup

sudo apt install cryptsetup

Create LUKS Disk

sudo cryptsetup --verbose --verify-passphrase --cipher=aes-xts-plain64 --hash=sha512 luksFormat {{ device.value }}

Create a random keyfile

sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
sudo chmod 0400 /root/keyfile

Add the keyfile to LUKS

sudo cryptsetup luksAddKey {{ device.value }} /root/keyfile

Create device mapper

sudo {{ texteditor.value }} /etc/crypttab

add this line

{{ mappername.value }}      UUID={{ uuid.value }}  /root/keyfile  luks

or using this one line command

echo '{{ mappername.value }}      UUID={{ uuid.value }}  /root/keyfile  luks' | sudo tee -a /etc/crypttab

Reboot and check encrypted disk is automatically decrypted using the key file

sudo reboot
lsblk -o NAME,UUID,SIZE,FSTYPE,TYPE,MOUNTPOINT
sudo cryptsetup luksDump {{ device.value }}

format disk using device mapper name

sudo mkfs.ext4 /dev/mapper/{{ mappername.value }}

mount disk using device mapper name

sudo {{ texteditor.value }} /etc/fstab

add this line

/dev/mapper/{{ mappername.value }}  {{ mountpath.value }} ext4  {{ mount_option.value }}  0  0

or using this one line command

echo '/dev/mapper/{{ mappername.value }}  {{ mountpath.value }} ext4  {{ mount_option.value }}  0  0' | sudo tee -a /etc/fstab

mount now and check

sudo mkdir -p {{ mountpath.value }}
sudo mount -a
df -h -x devtmpfs -x tmpfs

or you may mount by UUID

Reference