Coffee Space


Listen:

Decrypt Drive

Preview Image

Preview Image

Warning: The following comes without any warranty, use at your own risk! You have been warned!

A while back Ubuntu for some reason stopped being able to automatically detect that there is attached encrypted drives, and even when prompted, it forgot how to correctly handle them. Thanks Ubuntu!

For a while now each time I wanted to mount my encrypted drive to perform a backup I would need to use this help page. It's a bit of a pain and is really something that can be automated! The steps are as follows:

  1. Find out which device is the encrypted one.
  2. Perform some decryption and mounting commands on it so that it appears to look like a formal drive.
  3. Eject the drive safely (it may not be finished writing to all of the blocks, for example).

The following is an explanation for the binds I have in .bash_alias.

Find The Drive

I am looking for a drive with a partition of type crypto_LUKS. After some searching around, I found that lsblk can actually locate such drives!

Next up was to get the data out of lsblk that I want, which is namely the location. In the man page I saw that there is some -J option, that outputs as JSON! I found out a while back there is some nice tool called jq for parsing JSON on the command line!

0001 alias backup-find='function _bf(){ echo -n "/dev/"; lsblk -J --fs | jq ".blockdevices[] | select(.children != null) | .children[] | select(.fstype == \"crypto_LUKS\") | .name" | jq -r; }; _bf'

Essentially, we loop all block devices, select all children that are not NULL, then loop those children. The we filter each where .fstype is of our required type crypto_LUKS, then we select the name.

Note: Technically it is possible that more than one drive actually matches this type. I am also unsure how it will behave when there is no encrypted drive attached. That is why this step is manually performed - do a sanity check first!

This would be used like follows:

0002 backup-find

Hopefully this prints something like /dev/drive123. Give this a sanity check before using it!

Mount The Drive

Next 'open' the drive, create a directory to mount it, and then mount it to that location:

0003 alias backup-decrypt='function _bd(){ loc="/media/${USER}/Backup"; sudo cryptsetup luksOpen ${1} eback; sudo mkdir ${loc}; sudo mount /dev/mapper/eback ${loc}; }; _bd'

This would be used as follows:

0004 backup-decrypt /dev/drive123

It should ask for the decryption password.

Eject The Drive

Don't forget to unmount the drive when you're done!

0005 alias backup-eject='function _be(){ loc="/media/${USER}/Backup"; sudo umount ${loc}; sudo cryptsetup luksClose eback; }; _be'

This is run with something like:

0006 backup-eject

Known Flaws

This has a few issues of course:

  1. It assumes a single drive is connected with fstype as crypto_LUKS.
  2. It assumes that this drive is found, and only one is found.
  3. It assumes there is not already some drive called eback.
  4. It assumes the drive is not already mounted, or another drive is not already mounted at the target location.
  5. There is no error handling - so good luck with that one.

These are just some of the issues to be aware of with using this, so take it as you will.