We have moved to a new Sailfish OS Forum. Please start new discussions there.
9

Automount encrypted sdcard with key file

Tracked by Jolla

asked 2019-01-10 15:04:46 +0200

jollajo gravatar image

updated 2019-01-11 11:40:07 +0200

jovirkku gravatar image

Today I got an uSD card for my XA2 with SF 3.0.1. Formatting with encryption and unlocking with mount works without issues. However it's rather painful to remember to manually unlock and mount the SD card after reboot. Especially automatically started services and apps won't find the external memory at boot time.

On a desktop PC I have a key file in my rootfs or home partition and unlock (luks-)encrypted partitions automatically with that key file. Is there an option in SF3 as well?

edit retag flag offensive close delete

2 Answers

Sort by » oldest newest most voted
2

answered 2019-01-16 15:34:59 +0200

olf gravatar image

If you are able to use the command line, chapter 4.3 of the "Guide: Creating partitions on SD-card, optionally encrypted" is working fine (since SFOS 2.1) and is interoperable with Jolla's new GUI solution in SFOS 3.0.

This seems to be easier to deploy (for command line savvy users) and more reliable (taking above and other issues with Jolla's solution into account), if just an encrypted SD-card (partition) automatically mounted at boot time is wanted.
Please mind the prerequisite steps noted in the preceding chapters of "Guide: Creating partitions on SD-card, optionally encrypted".

edit flag offensive delete publish link more
2

answered 2019-11-05 23:24:45 +0200

jollajo gravatar image

updated 2019-11-05 23:40:30 +0200

Finally I managed to automount the encrypted sdcard, originally formatted and encrypted by the Sailfish tools.

First an overview of the process:

  1. backup your sdcard, you never know what can go wrong
  2. backup the luks header of your partition, this may save you from restoring the full backup
  3. add keyfile to the LUKS encryption
  4. add systemd service to mount sdcard
  5. add udev rule to launch systemd service
  6. adapt link /media/sdcard

from here I did everything as root


Backup your sdcard on PC

mount your sdcard on your pc

cd <sdcard>  
tar czvf ~/sdcard.tgz .

Backup luks header of your sdcard on PC

cryptsetup cryptsetup luksHeaderBackup /dev/<your-device-name> --header-backup-file ~/sdcard_luksHeader

Add keyfile to the LUKS encryption

clear slots 1 to 7 that were occupied by sailfish. Slot 0 is probably used to hold the key protected by your password, you cannot delete this.

[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 7
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 6
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 5
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 4
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 3
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 2
Enter any remaining passphrase: 
[root@devel home]# cryptsetup luksKillSlot /dev/mmcblk1p1 1
Enter any remaining passphrase:

Create a keyfile and set access right

dd bs=512 count=4 if=/dev/urandom of=/root/sdkey
chmod 400 of=/root/sdkey

Add this keyfile to your luks partition

cryptsetup luksAddKey /dev/mmcblk1p1 /root/sdkey

Test keyfile

cryptsetup luksOpen  /dev/mmcblk1p1 - /root/sdkey

Create systemd service to mount sdcard

create the following file, e.g. with editor nano /etc/systemd/system/mount-encrypted-sdcard.service

  [Unit]
  Description=Automount encrypted sdcard

  [Service]
  Type=oneshot
  ExecStart=/usr/bin/udisksctl unlock --key-file=/root/sdkey --block-device /dev/mmcblk1p1
  ExecStart=/usr/bin/udisksctl mount --block-device /dev/dm-2

Test service, lock sdcard before if it was unlocked

udisksctl lock --block-device /dev/mmcblk1p1
systemctl daemon-reload
systemctl start mount-encrypted-sdcard

Add udev rule to launch systemd service at boot

create the following file, e.g. with editor nano /etc/systemd/system/mount-encrypted-sdcard.service
The values for ATTR{size} and ATTR{start} can be taken from the first section of the output of the command udevadm info -a -p $(udevadm info -q path -n /dev/mmcblk1p1)

ACTION=="add", KERNEL=="mmcblk1p1", SUBSYSTEM=="block", ATTR{size}=="249704448", ATTR{start}=="32768", ENV{SYSTEMD_WANTS}="mount-encrypted-sdcard.service"

reload the udev rules via udevadm trigger

adapt link /media/sdcard

As udisksctl is run as root, the sdcard will be mounted at /run/media/root/<your-disk-label>, hence the original symbolic link of /media/sdcard to /run/media/nemo/<your-disk-label> will no longer work, so we replace it:

ln -fs /run/media/root/<your-disk-label> /media/sdcard</your-disk-label>

now it's time to try it out

* call sync and reboot * you should see your sdcard in Settings-Storage * now tracker will also find media files on your sdcard, as the sdcard will be mounted before tracker is started

credit goes to main source of systemd and udev: https://technik.blogbasis.net/arch-automount-encrypted-sdcard-udev-systemd-09-10-2015

edit flag offensive delete publish link more

Comments

1

Please take a look at crypto-sdcard and its sources which does basically the same, but in a more sophisticated manner.

Plus, instead of deploying a systemd service unit and an udev rule manually, installing the crypto-sdcard RPM (e.g. per Storeman) does that automatically.

olf ( 2019-11-06 00:34:17 +0200 )edit
Login/Signup to Answer

Question tools

Follow
6 followers

Stats

Asked: 2019-01-10 15:04:46 +0200

Seen: 832 times

Last updated: Nov 05 '19