Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upattach block device fails to mount LUKS encrypted devices #2014
Comments
andrewdavidwong
added
enhancement
P: minor
C: Debian
UX
labels
May 23, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
May 23, 2016
Member
cryptsetup is the main command-line tool for interfacing with dm-crypt and thereby creating and managing LUKS volumes.
|
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Is it LUKS encryped partition (even when single), or the whole device? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
entr0py
May 23, 2016
Commands to try:
- Encrypted devices (/dev/sda)
Need to be unlocked in usbVM first:
sudo cryptsetup open /dev/sda <any_name_for_mapped_device>
Then attached to appVMs:
qvm-block -a <appVM> sys-usb:sda
Should mount automatically or cli:
sudo mount /dev/mapper/<name_for_mapped_device> <mount_dir>
Use. Unmount:
sudo umount <mount_dir>
In usbVM:
sudo cryptsetup close <name_for_mapped_device>
Unplug. - Encrypted primary partition (/dev/sda1)
Attach directly to appVM and let it handle encryption.
Or use commands above inside appVM - nothing needed in usbVM. - Encrypted extended partition (/dev/sda5)
Attach directly to appVM - might require additional steps to mount volumes.
sudo cryptsetup open /dev/sda5 <any_name_for_mapped_device>
To mount volumes in the encrypted partition (requires package lvm2 in Debian):
vgchange -ay# related useful commands: pvs, lvdisplay
Then mount.
To detach, reverse order:
sudo umount <mount_dir>
vgchange -an
sudo cryptsetup close <name_for_mapped_device>
Detach from appVM.
Unplug.
IIUC encrypting the entire device is more secure than encrypting partition?; but given that Qubes can't recognize and requires exposing passphrase in usbVM, maybe better to NOT encrypt whole devices?
entr0py
commented
May 23, 2016
|
Commands to try:
IIUC encrypting the entire device is more secure than encrypting partition?; but given that Qubes can't recognize and requires exposing passphrase in usbVM, maybe better to NOT encrypt whole devices? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
unman
Jun 2, 2016
Member
@3n7r0p1 You should absolutely not decrypt the device in usbVM - it's unnecessary. All you have to do is add the device as usbVM:sda, and then decrypt and mount in the target qube. The cryptsetup commands are standard fare and work for me in Debian based qubes.
@bnvk Can you check that again?(Assuming device is encrypted)
When attached the device should appear as /dev/xvdi or subsequent,
- attach usb to qube
- sudo cryptsetup open /dev/xvdi bk --type luks
- sudo cryptsetup status /dev/mapper/bk [Shows useful status]
- sudo mount /dev/mapper/bk /mnt
- do stuff in /mnt
- sudo umount /mnt
- sudo cryptsetup close bk --type luks
- remove usb
This is confirmed as Debian specific issue - the device does appear in nautilus in Fedora based qube, and also does appear in nautilus in a Debian usbVM.
|
@3n7r0p1 You should absolutely not decrypt the device in usbVM - it's unnecessary. All you have to do is add the device as usbVM:sda, and then decrypt and mount in the target qube. The cryptsetup commands are standard fare and work for me in Debian based qubes.
This is confirmed as Debian specific issue - the device does appear in nautilus in Fedora based qube, and also does appear in nautilus in a Debian usbVM. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Works as expected with stretch based qube, (even with jessie usbVM). |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
unman
Jun 3, 2016
Member
Jessie based qube:
A mixed drive with some encrypted partitions appears correctly in nautilus. The encrypted partitions are identified and prompt for password on attempt to mount.
An encrypted drive does not appear in nautilus.
Stretch based:
Both encrypted partitions and drives are handled properly in nautilus.
udiskctl shows under Stretch (and Fedora):
Id:
IdLabel:
IdType: ext3
IdUUID: c79423f8-c4b1-9992-b9e5-f312893f2af2
IdUsage: filesystem
IdVersion: 1.0
Whereas under jessie, all these entries are blank. There's the problem.
@bnvk Given that the issue is fixed under jessie, (although that's a while off), could we close this with an entry in the FAQ detailing the manual mount method? (Assuming you have been able to mount using that method.)
|
Jessie based qube: Stretch based:
Id: Whereas under jessie, all these entries are blank. There's the problem. @bnvk Given that the issue is fixed under jessie, (although that's a while off), could we close this with an entry in the FAQ detailing the manual mount method? (Assuming you have been able to mount using that method.) |
rootkovska
removed
the
C:
label
Jun 30, 2016
andrewdavidwong
added
the
C: Debian
label
Jul 2, 2016
andrewdavidwong
added this to the Far in the future milestone
Dec 24, 2016
unman
referenced this issue
in QubesOS/qubes-doc
Feb 14, 2017
Merged
Add explanation of how to deal with encrypted USB drive in Debian #286
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
unman
Feb 27, 2017
Member
@andrewdavidwong Can you close this? It's a 'feature' in Jessie, works in Stretch, and a workaround is now fully documented.
|
@andrewdavidwong Can you close this? It's a 'feature' in Jessie, works in Stretch, and a workaround is now fully documented. |
bnvk commentedMay 23, 2016
Qubes OS version (e.g.,
R3.1):R3.1
Affected TemplateVMs (e.g.,
fedora-23, if applicable):debian-8
Expected behavior:
A LUKS encrypted USB device should popup in the sidebar of Nautilus and when clicked on prompt user for the encryption password.
Actual behavior:
Device fails to mount in Nautilus
Steps to reproduce the behavior:
Plugin a LUKS encrypted USB device and attach it
General notes:
Researching how to mount from the CLI suggests using a program called
cryptsetupwhen works fromfedora-23template, but for some reason does not work indebian-8despite being installed