answered
2019-11-05 23:24:45 +0200
Finally I managed to automount the encrypted sdcard, originally formatted and encrypted by the Sailfish tools.
First an overview of the process:
- backup your sdcard, you never know what can go wrong
- backup the luks header of your partition, this may save you from restoring the full backup
- add keyfile to the LUKS encryption
- add systemd service to mount sdcard
- add udev rule to launch systemd service
- adapt link /media/sdcard
from here I did everything as root
Backup your sdcard on PC
mount your sdcard on your pc
cd <sdcard>
tar czvf ~/sdcard.tgz .
Backup luks header of your sdcard on PC
cryptsetup cryptsetup luksHeaderBackup /dev/<your-device-name> --header-backup-file ~/sdcard_luksHeader
Add keyfile to the LUKS encryption
clear slots 1 to 7 that were occupied by sailfish. Slot 0 is probably used to hold the key protected by your password, you cannot delete this.
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 7
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 6
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 5
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 4
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 3
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 2
Enter any remaining passphrase:
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 1
Enter any remaining passphrase:
Create a keyfile and set access right
dd bs=512 count=4 if=/dev/urandom of=/root/sdkey
chmod 400 of=/root/sdkey
Add this keyfile to your luks partition
cryptsetup luksAddKey /dev/mmcblk1p1 /root/sdkey
Test keyfile
cryptsetup luksOpen /dev/mmcblk1p1 - /root/sdkey
Create systemd service to mount sdcard
create the following file, e.g. with editor nano /etc/systemd/system/mount-encrypted-sdcard.service
[Unit]
Description=Automount encrypted sdcard
[Service]
Type=oneshot
ExecStart=/usr/bin/udisksctl unlock --key-file=/root/sdkey --block-device /dev/mmcblk1p1
ExecStart=/usr/bin/udisksctl mount --block-device /dev/dm-2
Test service, lock sdcard before if it was unlocked
udisksctl lock --block-device /dev/mmcblk1p1
systemctl daemon-reload
systemctl start mount-encrypted-sdcard
Add udev rule to launch systemd service at boot
create the following file, e.g. with editor nano /etc/systemd/system/mount-encrypted-sdcard.service
The values for ATTR{size} and ATTR{start} can be taken from the first section of the output of the command udevadm info -a -p $(udevadm info -q path -n /dev/mmcblk1p1)
ACTION=="add", KERNEL=="mmcblk1p1", SUBSYSTEM=="block", ATTR{size}=="249704448", ATTR{start}=="32768", ENV{SYSTEMD_WANTS}="mount-encrypted-sdcard.service"
reload the udev rules via udevadm trigger
adapt link /media/sdcard
As udisksctl is run as root, the sdcard will be mounted at /run/media/root/<your-disk-label>, hence the original symbolic link of /media/sdcard to /run/media/nemo/<your-disk-label> will no longer work, so we replace it:
ln -fs /run/media/root/<your-disk-label> /media/sdcard</your-disk-label>
now it's time to try it out
* call sync and reboot
* you should see your sdcard in Settings-Storage
* now tracker will also find media files on your sdcard, as the sdcard will be mounted before tracker is started
credit goes to main source of systemd and udev: https://technik.blogbasis.net/arch-automount-encrypted-sdcard-udev-systemd-09-10-2015
