auto mount encrypted USB

Question

I've actually just started dabbling in the raspeberry pi but no stranger to hacking around these controllers. Having said that, my knowledge is lacking in a few areas.

A little about what I want to try to achieve: I am fooling around with one of the pi cameras and the picamera module for raspberry Pi. I'm trying to record stuff at the highest quality- right now I guess 1080p at 30fps. I want to write/record these videos to a usb stick plugged into the raspberry pi, which i would also like to be encrypted due to the fact that I will be removing and plugging that usb stick into my computer (I use both PC and Mac) to view/modify these movie files. Then I can remove those files from the usb stick as I need to and then replug into the Pi and record more, etc.

I don't need supreme protection. I'm more or less looking for an easy user experience at the expense of top notch security as I've read that means keeping some important logins/passwords in a file on the drive. I'm ok with that as long as the info is indeed encrypted from the casual peeker.

Some Questions:

Assuming I dont want to have to allocate space beforehand to this encrypted directory/drive, thus does that really leave me only with ecryptfs or encfs? Can i use gpgdir?
Would I be recording the video to a directory outside of the encrypted directory/usb, then once that file has completed recording, automate the encryption into the encrypted directory? Or is it possible to just write into the encrypted directory?
Can this encrypted usb stick be auto mounted? EDIT: I think I can glean on how to do this using this method.

I saw a neat tutorial that seemed to do what I wanted using TrueCrypt and the Pi though truecrypt is no longer supported.

Thanks for any help!

EDIT: Made it through cross referencing this but getting a few errors on boot:

        ...
starting early crypto disks
usbdrive_crypt: keyfile not found
usbdrive_crypt (invalid key)
...
starting remaining crypto disks
usbdrive_crypt: keyfile not found
usbdrive_crypt (invalid key)
...
checking file systems...
...
open: no such file or directory
...
fsck died with exit status 6
...
mounting local filesystems..mount: special device /dev/mapper/usbdrive_crypt does not exist...

crypttab file:

usbencrypted   UUID=xxxx   /boot/key_luks   luks

fstab file:

/dev/mapper/usbencrypted   /mnt/usbdrive   vfat   defaults   0   2

How are you going to store the encryption password/passphrase/passfile? On the SDcard that you boot the RPi from? — Gilles 'SO- stop being evil', Jun 20 '15 at 23:04
No. Since I only want the external USB stick encrypted and ease of experience is paramount, I'll store that info on the usb stick, knowing that this isn't the most secure method doing this. — Chaz, Jun 21 '15 at 14:14
Wait, what? You want to encrypt the USB stick with a key stored on the USB stick? That doesn't make any sense: it would have zero security benefit. — Gilles 'SO- stop being evil', Jun 21 '15 at 16:03
See link below for how I solved a similar issue. https://unix.stackexchange.com/a/772349/605563 — jabol240, Mar 14 '24 at 20:35

score 3 · Accepted Answer · answered Jun 20 '15 at 01:30

3

I would suggest using dm-crypt. This is a block level encryption system, support in kernel. This way, all encryption is handled OS/Kernel level, and is transparent to the user. At a high level:

Wipe the disk with fdisk, and create a single partition spanning the entire disk (henceforth referred to as /dev/sdX1)
Create a new crypt-luks volume

cryptsetup luksFormat /dev/sdX1
Map it

cryptsetup open /dev/sdX1 usbdrive
Create a filesystem on the device

mkfs.ext4 /dev/mapper/usbdrive
Mount it

mount /dev/mapper/usbdrive /mnt

To automate this, there are two approaches. One is to use /etc/crypttab and let systemd take care of it. A second approach would be a custom udev that assigns a consistent name and mounts the volume when the key is inserted

answered Jun 20 '15 at 01:30

Outurnate

1,219
10
19

I cross referenced your set up with the one here link. On reboot I get the errors regarding "keyfile not found" and "fsck.ext4: no such file or directory while trying to open /dev/mapper/usbdrive_crypt" ... even though I am sure I have set them up accordingly. ANy ideas? – Chaz Jun 23 '15 at 20:49
Do you have the full error? The ext4 error is a side effect of the volume not decrypting. Since the volume is still encrypted, ext4 can't find a valid filesys – Outurnate Jun 23 '15 at 23:59
Yeah..seems so. I'm assuming its from not finding the keyfile..though I know the paths to the keyfile are correct and I've triple checked the crypttab file and it checks out. I've edited my original post to include all of the errors it caught on boot. – Chaz Jun 24 '15 at 12:58
Oh...forgot to say that I was using a fat32 drive so changed ext4 to vfat. – Chaz Jun 24 '15 at 13:09
I guess the keyfile is outside the encrypted filesystem, right? if it is, try mounting manually to check if the problem is the keyfile.... – YoMismo Jun 24 '15 at 13:18
Yeah, I can definitely mount manually. Its is outside of the encrypted system. Manually I get everything working no problem...its just when I try to automate I run into issues. – Chaz Jun 24 '15 at 13:37
Can you post your fstab and crypttab (minus keys)? – Outurnate Jun 24 '15 at 19:04
Edited initial post! The keyfile is created using urandom. – Chaz Jun 24 '15 at 23:00
Moved my keyfile out of boot and into another directory (home) and then it worked. – Chaz Jun 26 '15 at 18:49
Awesome! Probably mount order was the issue – Outurnate Jun 26 '15 at 20:03

auto mount encrypted USB

1 Answers1