Member-only story
Auto-mounting encrypted drives with a remote key on Linux
Using dm-crypt and auto-mounting a drive without storing the key on the local disk
I’ve been building a simple NAS for my home, and I wanted to store the data on a secondary disk, encrypted with dm-crypt/LUKS. There are plenty of articles on how to do that, but when it comes to automatically mounting the disk at boot, all of them recommend writing the encryption key in a keyfile and store it on the local filesystem.
This approach wasn’t acceptable to me: while the data would be encrypted at rest, the key to open the encrypted partition would also be sitting in the same place. If someone were to steal the physical server (imagine this were a small Raspberry Pi!), they would have access to the data without any issue.
How could I have the LUKS encryption key stored in a secure, remote place, while at the same time being able to have the encrypted disk automatically mounted without manual intervention (e.g. in case of a reboot after a power outage)? In other words, how to have your cake and eat it too.
Turns out, there’s a relatively simple solution, which requires just two systemd units.
Note: this approach can not be used with encrypted root volumes, but only with secondary disks.
