Using NBDE to unlock a LUKS encrypted volume

Back
Contents

Automatically unlock a LUKS encrypted on a non root partition

Preamble

This document explains how to configure LUKS encryption on a non boot disk using a key stored in /root. This assumes that your root partition is encrypted to ensure the key is completely secured at an at rest state. We will consider /dev/sdb1 to be the secondary partition in this article. It is also assumed that your partition is already created.

Install necessary tools

yum install -y cryptsetup-luks

Configure the LUKS partition

cryptsetup luksFormat --type luks2 /dev/sdb1

Initiate the LUKS partition

cryptsetup luksOpen /dev/sdb1 backups

Format the LUKS partition

dd if=/dev/zero of=/dev/mapper/backups && mkfs.ext4 /dev/mapper/backups

Create random key file

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Secure the key file

chmod 0400 /root/keyfile

Add the keyfile to LUKS

cryptsetup luksAddKey /dev/sdb1 /root/keyfile

Create a mapper for LUKS device

echo "backups /dev/sdb1 /root/keyfile luks" >> /etc/crypttab

Create an fstab entry

echo "/dev/mapper/backups /backups ext4 defaults 0 2" >> /etc/fstab

Enable clevis-luks-askpass.path

systemctl enable clevis-luks-askpass.path

Reboot and test

shutdown -r now

Last modified: 2025-12-18 16:57 UTC by unknown
Change history (1) — View full history