Web lists-archives.com

Re: Stretch : mount Jessie encrypted HDD via USB




On Thu 02 Nov 2017 at 08:08:00 (-0200), Eduardo M KALINOWSKI wrote:
> On 01-11-2017 22:44, David Wright wrote:
> > OK, so that sounds as if removing the USB device before   vgchange -an
> > will not affect the device but only the host PC.
> > 
> > And my own experience suggests that the same is true if the
> > unlocked device is removed before locking it.
> > 
> > It's not that I don't perform the correct sequence of steps,
> > but just that accidents happen and I like to be prepared for
> > the consequences. The effects of removing a device without
> > unmounting it are well documented and have been for years.
> > OTOH I have found a deafening silence about the effects of
> > not locking an encrypted device.
> 
> I don't know what you mean by 'locking', as it is not a term used by
> dm-crypt volumes.

Here are my notes on using an encrypted USB device. This crib
is an annotated version of output from script. I've not used
lvm/vgchange, so that was the main focus of my query.

## Using (non-removable device) the easier way:
## /etc/fstab entry is:
    /dev/mapper/luks-3d863b13-5914-476b-b7a5-6e9af95673e6 /media/adam01 ext4 rw,errors=remount-ro,user,noauto

$ udisksctl unlock --block-device /dev/disk/by-uuid/3d863b13-5914-476b-b7a5-6e9af95673e6
Passphrase:
Unlocked /dev/sdb1 as /dev/dm-0.
$ mount /media/adam01/
$ 

# when finished:

$ umount /media/adam01/
$ udisksctl lock --block-device /dev/disk/by-uuid/3d863b13-5914-476b-b7a5-6e9af95673e6
Locked /dev/sdb1.
$ 

Hence my use of the term "locked".

> But if it means closing the disk with the 'luksClose' command of
> cryptseupt, I'd definitely do that before disconnecting the disk.

That I do, that I'm happy to do, and that isn't the focus of this
question.

> It probably won't hurt to simply unplug if everything has already been
> written to the disk, but it's definitely safer to properly close the
> encrypted volume.

AFAICT umount and sync (or a period of time passing) writes everything
to the device that it needs.

> If you run LVM on the encrypted volume, you'll most likely have to run
> 'vgchange -an', otherwise the volume will be considered 'in use' and you
> won't be able to luksClose it.

Yes, I understand that. But is that only for the benefit of the
PC, not the device that was plugged in? When you unmount, things
get written to the device. Is the same true of vgchange -an and
cryptsetup luksClose? I think not for the latter.

> The commands in deloptes' message seem correct and are what you need.

Yes, I am aware that the solution is precisely correct. My question
is aimed at the case where everything *doesn't* go exactly to plan,
ie possible real-world scenarios.

Let me give you an unsafe analogy of what I mean. You pull up at
a filling station¹ and fuel your car²³⁴. Then you pull out the hose,
replace the cap on the filler tube, close the little flap⁵, and
drive off⁸. As far as the *car* is concerned, everything is 100% OK.
The only repercussions are with the filling station and your legal
liability.

¹ 1. plugin in / connect the usb to the computer
² 2. cryptsetup luksOpen /dev/sd<x>1 cryptedDisk
³ 3. vgchange -ay cryptedDisk
⁴ 4. mount /dev/mapper/cryptedDisk-<logical volume> ...

⁵ 1. umount /dev/mapper/cryptedDisk-<logical volume>
⁶ 2. vgchange -an cryptedDisk
⁷ 3. cryptsetup luksClose cryptedDisk
⁸ 4. unplug

Cheers,
David.