attach block device fails to mount LUKS encrypted devices

[bnvk]

Qubes OS version (e.g., R3.1):

R3.1

Affected TemplateVMs (e.g., fedora-23, if applicable):

debian-8

---

Expected behavior:

A LUKS encrypted USB device should popup in the sidebar of Nautilus and when clicked on prompt user for the encryption password.

Actual behavior:

Device fails to mount in Nautilus

Steps to reproduce the behavior:

Plugin a LUKS encrypted USB device and attach it

General notes:

Researching how to mount from the CLI suggests using a program called cryptsetup when works from fedora-23 template, but for some reason does not work in debian-8 despite being installed

[andrewdavidwong]

cryptsetup is the main command-line tool for interfacing with dm-crypt and thereby creating and managing LUKS volumes.

[andrewdavidwong]

cryptsetup is the main command-line tool for interfacing with dm-crypt and thereby creating and managing LUKS volumes.

[marmarek]

Is it LUKS encryped partition (even when single), or the whole device?

[marmarek]

Is it LUKS encryped partition (even when single), or the whole device?

[entr0py]

Commands to try:

1. Encrypted devices (/dev/sda)
   Need to be unlocked in usbVM first:
   sudo cryptsetup open /dev/sda <any_name_for_mapped_device>
   Then attached to appVMs:
   qvm-block -a <appVM> sys-usb:sda
   Should mount automatically or cli:
   sudo mount /dev/mapper/<name_for_mapped_device> <mount_dir>
   Use. Unmount:
   sudo umount <mount_dir>
   In usbVM:
   sudo cryptsetup close <name_for_mapped_device>
   Unplug.
2. Encrypted primary partition (/dev/sda1)
   Attach directly to appVM and let it handle encryption.
   Or use commands above inside appVM - nothing needed in usbVM.
3. Encrypted extended partition (/dev/sda5)
   Attach directly to appVM - might require additional steps to mount volumes.
   sudo cryptsetup open /dev/sda5 <any_name_for_mapped_device>
   To mount volumes in the encrypted partition (requires package lvm2 in Debian):
   vgchange -ay # related useful commands: pvs, lvdisplay
   Then mount.
   To detach, reverse order:
   sudo umount <mount_dir>
vgchange -an
sudo cryptsetup close <name_for_mapped_device>
   Detach from appVM.
   Unplug.

IIUC encrypting the entire device is more secure than encrypting partition?; but given that Qubes can't recognize and requires exposing passphrase in usbVM, maybe better to NOT encrypt whole devices?

[entr0py]

Commands to try:

1. Encrypted devices (/dev/sda)
   Need to be unlocked in usbVM first:
   sudo cryptsetup open /dev/sda <any_name_for_mapped_device>
   Then attached to appVMs:
   qvm-block -a <appVM> sys-usb:sda
   Should mount automatically or cli:
   sudo mount /dev/mapper/<name_for_mapped_device> <mount_dir>
   Use. Unmount:
   sudo umount <mount_dir>
   In usbVM:
   sudo cryptsetup close <name_for_mapped_device>
   Unplug.
2. Encrypted primary partition (/dev/sda1)
   Attach directly to appVM and let it handle encryption.
   Or use commands above inside appVM - nothing needed in usbVM.
3. Encrypted extended partition (/dev/sda5)
   Attach directly to appVM - might require additional steps to mount volumes.
   sudo cryptsetup open /dev/sda5 <any_name_for_mapped_device>
   To mount volumes in the encrypted partition (requires package lvm2 in Debian):
   vgchange -ay # related useful commands: pvs, lvdisplay
   Then mount.
   To detach, reverse order:
   sudo umount <mount_dir>
vgchange -an
sudo cryptsetup close <name_for_mapped_device>
   Detach from appVM.
   Unplug.

IIUC encrypting the entire device is more secure than encrypting partition?; but given that Qubes can't recognize and requires exposing passphrase in usbVM, maybe better to NOT encrypt whole devices?

[unman]

@3n7r0p1 You should absolutely not decrypt the device in usbVM - it's unnecessary. All you have to do is add the device as usbVM:sda, and then decrypt and mount in the target qube. The cryptsetup commands are standard fare and work for me in Debian based qubes.
@bnvk Can you check that again?(Assuming device is encrypted)
When attached the device should appear as /dev/xvdi or subsequent,

• attach usb to qube
• sudo cryptsetup open /dev/xvdi bk --type luks
• sudo cryptsetup status /dev/mapper/bk [Shows useful status]
• sudo mount /dev/mapper/bk /mnt
• do stuff in /mnt
• sudo umount /mnt
• sudo cryptsetup close bk --type luks
• remove usb

This is confirmed as Debian specific issue - the device does appear in nautilus in Fedora based qube, and also does appear in nautilus in a Debian usbVM.

[unman]

@3n7r0p1 You should absolutely not decrypt the device in usbVM - it's unnecessary. All you have to do is add the device as usbVM:sda, and then decrypt and mount in the target qube. The cryptsetup commands are standard fare and work for me in Debian based qubes.
@bnvk Can you check that again?(Assuming device is encrypted)
When attached the device should appear as /dev/xvdi or subsequent,

• attach usb to qube
• sudo cryptsetup open /dev/xvdi bk --type luks
• sudo cryptsetup status /dev/mapper/bk [Shows useful status]
• sudo mount /dev/mapper/bk /mnt
• do stuff in /mnt
• sudo umount /mnt
• sudo cryptsetup close bk --type luks
• remove usb

This is confirmed as Debian specific issue - the device does appear in nautilus in Fedora based qube, and also does appear in nautilus in a Debian usbVM.

[unman]

Works as expected with stretch based qube, (even with jessie usbVM).

[unman]

Works as expected with stretch based qube, (even with jessie usbVM).

[unman]

Jessie based qube:
A mixed drive with some encrypted partitions appears correctly in nautilus. The encrypted partitions are identified and prompt for password on attempt to mount.
An encrypted drive does not appear in nautilus.

Stretch based:
Both encrypted partitions and drives are handled properly in nautilus.

udiskctl shows under Stretch (and Fedora):

Id:
IdLabel:
IdType: ext3
IdUUID: c79423f8-c4b1-9992-b9e5-f312893f2af2
IdUsage: filesystem
IdVersion: 1.0

Whereas under jessie, all these entries are blank. There's the problem.

@bnvk Given that the issue is fixed under jessie, (although that's a while off), could we close this with an entry in the FAQ detailing the manual mount method? (Assuming you have been able to mount using that method.)

[unman]

Jessie based qube:
A mixed drive with some encrypted partitions appears correctly in nautilus. The encrypted partitions are identified and prompt for password on attempt to mount.
An encrypted drive does not appear in nautilus.

Stretch based:
Both encrypted partitions and drives are handled properly in nautilus.

udiskctl shows under Stretch (and Fedora):

Id:
IdLabel:
IdType: ext3
IdUUID: c79423f8-c4b1-9992-b9e5-f312893f2af2
IdUsage: filesystem
IdVersion: 1.0

Whereas under jessie, all these entries are blank. There's the problem.

@bnvk Given that the issue is fixed under jessie, (although that's a while off), could we close this with an entry in the FAQ detailing the manual mount method? (Assuming you have been able to mount using that method.)

[unman]

@andrewdavidwong Can you close this? It's a 'feature' in Jessie, works in Stretch, and a workaround is now fully documented.

[unman]

@andrewdavidwong Can you close this? It's a 'feature' in Jessie, works in Stretch, and a workaround is now fully documented.