view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.
-
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
@Hercules I have a similar setup with RAID1 and BTRFS.
I'm using a keyfile for that:
dd bs=512 count=4 if=/dev/random of=/etc/crypttab.d/keyfile-data.bin iflag=fullblock
chmod 600 /etc/crypttab.d/keyfile-data.bin
cryptsetup luksAddKey /dev/mapper/raid /etc/crypttab.d/keyfile-data.bin --new-key-slot 1
entry in /etc/crypttab:
data UUID=<blkid from /dev/md0> /etc/crypttab.d/keyfile-data.bin luks
entry in /etc/fstab:
UUID=<blkid from /dev/mapper/raid> /mnt/data .....
Another way can be pam_mount, which I'm using on an SBC for opening an encrypted device:
https://inai.de/projects/pam/_mount/
:D while your steps were very clear i think i fked up.
cryptsetup luksAddKey /dev/mapper/raid /etc/crypttab.d/keyfile-data.bin --new-key-slot 1gave:Device /dev/mapper/raid is not a valid LUKS device.. I assume this is a typo from your end since/dev/md0is my luks volume. But altering this gave me:slot is already in usekind of error.That can be explained since i tested something simular like you suggested earlier. Afterwhich i removed my key i generated and added to the volume. Then i did
cryptsetup luksRemoveKey /dev/md0.Now when i try to add it i get
No key available with this passphrase.I don't have enough knowledge about cryptsetup to know what excactly i did wrong.
Do you by any change have an explaination?
In case this is usefull:
@Hercules My exampled assumed, that you only have a password set on keyslot 0.
LUKS keyslots are starting at 0, so it seems, that you deleted the initial set password.
I hope, you know the other keyslots.
As far I can see, you can specify, which keyslot has to be selected for unlocking the volume key.
More information you can find in the man page.
Just to give you an update. The other keyslot was the key i added earlier for testing which i removed ... So its time for me to copy over a lot of data to another system en recreate the luks volume. Thanks for your help!
@Hercules So it was possible to use one of the other keyslots to open the encryption?
Probably you can test your wanted configuration in a virtual machine with some small virtual drives to avoid any loss of data.
I found it relative difficult to find the correct UUID which had to be used when I setup my system in the past.
No it wasn't. Luckely the luks parition was still mounted on my system so im making a backup, recreating the partiiton and the restoring ...
I found an article from RedHat on how to restore a luks1 partitions keys while it is still mounted but this isn't possible with luks2 :/
@Hercules That was really luck. I hope, that your backup will be successful.
Until now I didn't used it, but probably I will also have a deeper look into luksHeaderBackup.
https://man.archlinux.org/man/cryptsetup-luksHeaderBackup.8.en
https://man.archlinux.org/man/cryptsetup-luksHeaderRestore.8.en
Thanks for your response!
I will give it a try. Have a great rest of your day!
Is the
/etc/crypttab.dpath that you are using specificly chosen or can it be whatever? This path doesn't exists on my system and online i don't see any mentions of it.@Hercules I created it on my own, because I have some keys for other devices, too.
But you can place it, where you want.
But with crypttab.d I have a simple connection to crypttab configuration file.
the crypttab.d thing is called a drop-in directory. linux will read files you make in these and overwrite the config files with the values in the drop-in files. it's a way to add your own edits to config files without editing the default config files directly, so you don't have to say manually copy crypttab to crypttab.old for a backup and instead always have a default config to fall back to if things go wrong by just commenting out your few changes in the drop-in file.