crypttab entry for device, not partition

ki9 · 2024-08-06 18:16:00

I've always used luks to encrypt a partition, for example, /dev/sdx1. I determine the UUID of the partition with /dev/disk/by-uuid:

# ls -l /dev/disk/by-uuid | grep sdx1
lrwxrwxrwx 1 root root 15 Aug  1 15:09 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -> ../../sdx1

And then I use that UUID in /etc/crypttab:

mydisk	UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX	/path/to/my.key	luks

What I'm trying to do now is encrypt the entire device, not a partition. But the device doesn't have a UUID. After deleting the partition:

# ls -l /dev/disk/by-uuid | grep sdx
#

So I'm not sure how to safely (without referring to "sdx" which might change) refer to the disk in /etc/crypttab. I'm guessing either use the id or ptuuid:

# ls -l /dev/disk/by-id | grep sdx
lrwxrwxrwx 1 root root  9 Aug  6 11:48 ata-SanDisk_Extreme_Portable_SSD_XXXXXXXXXXXX -> ../../sdx
lrwxrwxrwx 1 root root  9 Aug  6 11:48 wwn-0xXXXXXXXXXXXXXXX -> ../../sdx
# blkid /dev/sdx
/dev/sdx: PTUUID="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" PTTYPE="gpt"

With one of the following lines in crypttab:

mydisk	ID=ata-SanDisk_Extreme_Portable_SSD_XXXXXXXXXXXX	/path/to/my.key	luks
mydisk	ID=wwn-0xXXXXXXXXXXXXXXX                        	/path/to/my.key	luks
mydisk	PTUUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX     	/path/to/my.key	luks

But the manpage for "crypttab" has no mention of ID or PTUUID so I'm not sure that these will work, or if any of them are best practice.

As a follow-up question, why does the partition table still exist at all? I thought it would get wiped after I ran

# cryptsetup luksFormat /dev/sdx /path/to/my.key

But it was not...

frostschutz · 2024-08-06 19:29:27

Partitions do not have UUIDs either, until you luksFormat (or other) which creates one.

The GPT partition table has a backup at the end of disk. A partitioner that sees a valid GPT backup but no GPT header at start of disk, might just restore the partition table and destroy your LUKS header in the process.

Stick to partitions. If you must use whole devices, make sure to wipe partition headers thoroughly. But it's just not worth the risk at all.

PTUUID is not supported everywhere. Not sure if crypttab accepts it. As a workaround you could just use the udev path /dev/disk/by-partuuid/X instead.

ki9 · 2024-08-06 21:06:58

frostschutz wrote:

Stick to partitions.

I should have mentioned I'm trying to encrypt the whole drive without any headers or partition tables for plausible deniability.

frostschutz wrote:

A partitioner... might just restore the partition table and destroy your LUKS header in the process.

As such, I'm using a detached luks header on a different drive so it shouldn't be an issue.

frostschutz wrote:

If you must use whole devices, make sure to wipe partition headers thoroughly.

I am realizing that for true plausible deniability, I need to wipe the whole disk with urandom first anyway.

frostschutz wrote:

PTUUID is not supported everywhere. Not sure if crypttab accepts it. As a workaround you could just use the udev path /dev/disk/by-partuuid/X instead.

Re-reading the manpage for crypttab, it seems like only UUID, PARTUUID, LABEL, and PARTLABEL are supported and they are all partition-dependent. So none of the crypttab lines I suggested (ID and PTUUID) would have worked. But I can reference the symlinks like so.

mydisk	/dev/disk/by-id/ata-SanDisk_Extreme_Portable_SSD_XXXXXXXXXXXX	/path/to/my.key	luks
mydisk	/dev/disk/by-id/wwn-0xXXXXXXXXXXXXXXX                        	/path/to/my.key	luks

I did a little more research and it looks like the wwn- identifier is globally unique and the other one should stay the same unless I plug the drive into a different subsystem. (ArchWiki: by-id and by-path) Some of my disks start with "ata-" and others start with "usb-" even though they are all external USB drives. Also, only 2/4 of my disks provide a wwn at all.

I guess I will just use the "wwn-" symlink if it exists and the "usb-" if it doesn't.

ua4000 · 2024-08-08 18:44:21

ki9 wrote:

for plausible deniability.

Maybe in idea:
stick to partitions, like frostschutz suggested, and make a gpt table with 2 partitions:
- the 1st one is a decoy/dummy, e.g. FAT32 with 4..16 GB, readable by windows too, where you place some dummy data, or some handy data, or e.g. an Arch iso :-)
- 2nd partitions is "empty", filled with random data --> your luks with detached header.

This is plausible deniability as well, and you can access the partition save by by-partuuid, and don't need to worry, that a dumb windows offers to make an initialization, format/gpt your disk, in case someone plug in on windows.

And a further tip, if you stick to the whole disk scenario: use the offset parameter and do not start you real data at byte 0, but e.g. at byte 4 GB, which maybe minimize the damage by an format/partition accident. For an ideal offset maybe others have a better value.

Arch Linux

#1 2024-08-06 18:16:00

crypttab entry for device, not partition

#2 2024-08-06 19:29:27

Re: crypttab entry for device, not partition

#3 2024-08-06 21:06:58

Re: crypttab entry for device, not partition

#4 2024-08-08 18:44:21

Re: crypttab entry for device, not partition

Board footer