# created by n2deep # www.the808.net # Date: 08-01-2012 # works on Ubuntu 12.04 with libudev0 and udev at version 175-0ubuntu9 # note that udev-175-0ubuntu9.1 is broken as of 08-04-2012 # customize the options and place this file in /etc/udev/rules.d #----INTRO---- #The goal of this udev rule is to use a small USB stick as the sole means of opening and closing an encrypted file system that is on a large spinning disk or RAID array. #The reason we want this automation with udev is because -->insert reason here<-- we have decided not to have a passphrase on one of the key slots on the crypto_LUKS container. #When we want to unlock the disk and mount the file system, we simply insert the USB stick. When we want to unmount and lock it, we simply remove the USB stick. #The USB stick is a constant visible reminder of the current status of the encrypted disk. #This udev rule uses UUID's so that even when other USB sticks are mounted and unmounted, the encrypted storage disk stays mounted. #This file uses cryptsetup but conceivably truecrypt command line options could be used here instead. #things you will need to know before you can use this udev rule. #1. the UUID of the filesystem on the USB stick with your keyfile. < Do not give the filesystem a label, so it will be mounted in /media using it's UUID. #2. the UUID of your storage disk's external facing crypto_LUKS container. < Anyone with physical access to your storage disk can see this UUID. #3. the UUID of your storage disk's encrypted ext4 filesystem inside of the storage disks crypto_LUKS container. < This UUID can only be seen after the key has unlocked the external container. #BEGIN USB stick as encryption key udev rules. #in our scenario the usb stick with crypt key file should be sdd or higher. Where depends on if the stick was in the machine on bootup or not. KERNEL!=="sd[d-z]*" #use the blkid command to get the UUID of the device that was just plugged in. ACTION=="add", IMPORT{program}="/sbin/blkid -o value -s UUID $tempnode" #try to unlock the encrypted storage disk now. #opening the encrypted contanier using the /dev/disk/by-uuid is the critical thing here as # /dev/sdX1 is subject to change if the machine is rebooted with the usb stick in the box. # the UUID we use in this /dev/disk/by-uuid is the external facing crypto_LUKS container anyone can see. ACTION=="add", RUN+="/sbin/cryptsetup luksOpen --key-file=/media/a3b7533e-c9aa-4630-a0b2-e0a78028169b/myfile.key /dev/disk/by-uuid/027c4973-56d8-4eb3-834e-b80b600a6354 cryptstorage1" #test to see if our private key unlocked the LUKS partiton on the storage disk by seeing if the UUID of our encrypted ext4 file system is now present in /dev/disk/by-uuid ACTION=="add", TEST=="/dev/disk/by-uuid/dea98085-f15a-4c4c-a590-a85c4ac12ed3" #The encrypted ext4 filesystems UUID we need is present and the USB stick with the encryption key is mounted, so mount the internal encrypted ext4 filesystem. RUN+="/bin/mount -o noatime,nodiratime /dev/mapper/cryptstorage1 /mnt/cryptstorage1/" #REMOVAL ACTIONS START BELOW ACTION=="remove", IMPORT{program}="/sbin/blkid -o value -s UUID $tempnode" #automatically unmount the real filesystem and close the encrypted contanier when the USB stick # with the key is unplugged so the system is ready as soon as the key is plugged in again. ACTION=="remove", TEST!="/dev/disk/by-uuid/a3b7533e-c9aa-4630-a0b2-e0a78028169b", RUN+="/bin/umount /mnt/cryptstorage1/", RUN+="/sbin/cryptsetup luksClose cryptstorage1"