-   Linux - Security (
-   -   Encrypted partition get mounted without being asked for a passphrase? (

x111 09-20-2010 07:24 AM

Encrypted partition get mounted without being asked for a passphrase?
Hello everybody,
I'm really confused by the ways an encrypted partition get mounted.
If I use the normal mount command:

# mount /dev/sda2 /mnt/sda2
It just mounts the partition without asking for the passphrase used to create it. I can list the files in /mnt/sda2, create a new file test.txt, but have no access to the files written to the "real encrypted partition".

But if I unmount /mnt/sda2, and mount it again with

# cryptsetup luksOpen /dev/sda2 vault
# mount /dev/mapper/vault /mnt/sda2

Then I can see/change the content of the encrypted partition but without being able to see/change the file test.txt created previously with the normal mount command.

The reason I'm asking is that I'm having my custom Debian to automount every partition available on the system at boot time. Is there any way/command to tell if a particular partition is encrypted (by cryptsetup) or not? So that I can mount it the right way and not make the users confused (or even harm the encrypted data).
Thanks for your consideration. :)

mostlyharmless 09-20-2010 11:39 AM

Interesting, one can only presume that when you created the encrypted partition, you left some room in the partition as some other filesystem recognized by "mount". Hopefully you aren't overwriting the same space.

If I try mount /dev/sdaX /mnt/somewhere on a LUKS partition, an error message about the filesystem not being recognized ensues. Clearly there must be a differernce in how you made your LUKS partition and how I did it.

What I suggest is that you show us:

fdisk /dev/sda2

and the result of "mount" after you've mounted the partition both ways.

GazL 09-20-2010 12:12 PM

My guess would be that your previous mount failed and the test.txt file you created is actually in the root filesystem in the /mnt/sda2 directory. Unmount your /mnt/sda2 filesystem and ls -lR /mnt/sda2 and you will probably see it lurking in there.

As for auto unlocking of luks encrypted filesystems at boot time, /etc/crypttab is provided for that purpose, so you may want to read up on that.

Finally, "cryptsetup isLuks <device>" is the correct way to determine if a device contains a luks volume or not.

x111 09-20-2010 11:23 PM

Oh thank you for the replies. I think there's must be something I did wrong when I created the partition. So I'm going to re-create it and check to see if the same thing happens again. It's the 2nd partition of a 256MB usb flash key.

For comparison, here are the result of some commands before I proceed:

# mkdir /mnt/v1
# ls /mnt/v1

. ..
# mount /dev/sda2 /mnt/v1
# ls /mnt/v1
. .. .gtkrc-2.0 lost+found mhelper
# touch /mnt/v1/test.txt
# ls /mnt/v1
. .. .gtkrc-2.0 lost+found mhelper test.txt
# umount /mnt/v1
# cryptsetup luksOpen /dev/sda2 vault
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# mkdir /mnt/v2
# mount /dev/mapper/vault /mnt/v2
# ls /mnt/v2
. .. lost+found menu Pictures trix
# cryptsetup isLuks /dev/sda2
# cryptsetup luksDump /dev/sda2

LUKS header information for /dev/sda2

Version:              1
Cipher name:          aes
Cipher mode:          cbc-plain
Hash spec:            sha1
Payload offset:        1032
MK bits:              128
Key Slot 0: ENABLED

GazL 09-21-2010 07:04 AM

Ahh, I see where you're going wrong. dmcrypt/luks is a block device level encryption, you have to put your filesystem on the encrypted mapping, not the raw partition, roughly something like this:

cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 vault
mkfs -t ext4 /dev/mapper/vault
mount /dev/mapper/vault /mnt/v2.

Obviously, that'll wipe the existing contents of /dev/sda2.
You'll probably want to choose a few encryption options on the luksFormat too.

Once it's setup, you just do the luksOpen and the mount to access the existing contents.

mostlyharmless 09-21-2010 01:01 PM

Agree with above. Also, if you did ls /mnt/v1 after umount /mnt/v1, or just "mount" prior you could also check the supposition by Gazl that the mount failed and that the file is actually on the mount point.

x111 09-25-2010 05:46 AM

Oh yes. I dont remember what I did to create a luks partition on the drive but it is the cause. I just created it again and now everything's normal again. Thank you all.

All times are GMT -5. The time now is 03:50 AM.