Fedora: Set up encriped disk with LUKS and btrfs format
I am setting up my USB external disk for backup use. I did set the encrypted disk with the btrfs format, following the guide[1]. I am masking the uuid with "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX" on the working log.
The command took more than 13 hours. Maybe I didn't work on a sleep mode. I need to adjust the setting.
$ sudo badblocks -c 10240 -s -w -t random -v /dev/sdb1
$ sudo cryptsetup luksFormat /dev/sdb1 $ sudo cryptsetup luksOpen /dev/sdb1 luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX Enter passphrase for /dev/sdb1:
I formatted the disk with the btrfs, and renamed the label name from "BACKUP" to "backup" later.
$ sudo mkfs.btrfs -L BACKUP /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX $ sudo btrfs filesystem label /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX backup
Here is the current status.
$ lsblk -r -p -o NAME,TYPE,FSTYPE,UUID,SIZE,LABEL | grep -v "^/dev/loop" NAME TYPE FSTYPE UUID SIZE LABEL ... /dev/sdb disk 931.5G /dev/sdb1 part crypto_LUKS XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX crypt btrfs XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G backup ...
Then I tested to know the behaviors.
On the command below, the root password was required to lock.
$ udisksctl lock --block-device /dev/sdb1 ==== AUTHENTICATING FOR org.freedesktop.udisks2.encrypted-lock-others ==== Authentication is required to lock the encrypted device WD My Passport 082A (/dev/sdb1) unlocked by another user Authenticating as: Jun Aruga (jaruga) Password: # ==== AUTHENTICATION COMPLETE ==== Locked /dev/sdb1.
On the command below, the password of the luks was required.
$ udisksctl unlock --block-device /dev/sdb1 Passphrase: Unlocked /dev/sdb1 as /dev/dm-1.
Then I could mount the disk with user permission.
$ udisksctl mount -b /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX Mounted /dev/dm-1 at /run/media/jaruga/backup
$ df -h | grep dm-1 /dev/dm-1 932G 3.8M 930G 1% /run/media/jaruga/backup
I failed to create a file. I need to check why.
$ ls -dl /run/media/jaruga/backup drwxr-xr-x. 1 root root 0 Nov 8 17:14 /run/media/jaruga/backup/ $ touch /run/media/jaruga/backup/BACKUP.txt touch: cannot touch '/run/media/jaruga/backup/BACKUP.txt': Permission denied
I mounted another disk that is not encrypted, vfat format USB external disk. It was mounted with the user permission.
$ udisksctl mount -b /dev/sda1 Mounted /dev/sda1 at /run/media/jaruga/1A53-9E55 $ ls -dl /run/media/jaruga/1A53-9E55 drwxr-xr-x. 2 jaruga jaruga 32768 Jan 1 1970 /run/media/jaruga/1A53-9E55/
I asked on the Ask Fedora forum. And I did the following workaround.
$ df -h | grep dm-1 /dev/dm-1 932G 3.8M 930G 1% /run/media/jaruga/backup $ cd /run/media/jaruga/backup $ sudo mkdir framework $ sudo chown jaruga:jaruga framework $ cd framework/ $ touch BACKUP.txt $ ls -l total 0 -rw-r--r--. 1 jaruga jaruga 0 Nov 8 20:39 BACKUP.txt
Then I added a new entry to this disk. I am not sure if it is necessary even when I connect the disk temporarily.
$ sudo vi /etc/crypttab
References
- [1] https://fedoraproject.org/wiki/Disk_Encryption_User_Guide - Creating Encrypted Block Devices on the Installed System After Installation
- [2] https://ask.fedoraproject.org/t/mounting-luks-encrypted-external-drive-with-user-write-permission/28327/3?u=jaruga