LUKS : some scripts...

Posted on August 12, 2022 • 4 minutes • 833 words • Other languages: Français

In my last article about LUKS, which you can find it right here , I presented the encryption standard and its implementation on Debian in a logical volume (LVM). At the end of the article, I promised you two things :

A management bash script for reassembling your encrypted partitions after a reboot.
An alert bash script in case of an unmounted encrypted partition on a server.

If you want to ensure the maximum security of your data contained in a LUKS container, it is necessary to manually enter the passphrase and to avoid, as far as possible, automating this step.

This ensures that in case of theft of the equipment or physical access by a service provider (e.g. in a DC where you do not have physical access to the machine), it is impossible for the LUKS container to be unlocked automatically without your intervention.

In a context of self-hosting, medium size or critical infrastructures, it can be interesting to simplify life for the reassembly of LUKS containers and to be alerted if a container is not mounted. This is the goal of my two scripts.

The management script

So I propose you a small and very simple management script that will avoid you to remember LUKS commands and save time at each maintenance of your server.

This script is very basic and will allow you to :

mount your LUKS container (with a prompt for the passphrase)
unmount your LUKS container

No more, no less !

Here is a small preview with this GIF :

bash-gif

And finally, here is the script that you can get and adapt to your use :

#!/bin/bash

#By Raven - 12/08/2022

###### Parameters
mountPoint=/datas-enc
lvName=/dev/VG1/datasLuksLV
luksName=datasLuks
service=apache2
######

#Check if the partition is already mount or not.
#Case 1 : partition is already mount, ask for unmount or cancel.
if grep -qs /dev/mapper/$luksName /proc/mounts; then
	if (whiptail --title "Unmounting the encrypted partition" --yesno "Would you like to unmount the partition and close the encrypted container ?" 8 78); then
		umount $mountPoint
		{
		    for ((i = 0 ; i <= 100 ; i+=5)); do
		        sleep 0.1
  		        echo $i
		    done
		} | whiptail --gauge "In progress, please wait..." 6 50 0

		cryptsetup luksClose $luksName
		{
		    for ((i = 0 ; i <= 100 ; i+=5)); do
		        sleep 0.1
  		        echo $i
		    done
		} | whiptail --gauge "Closing the encrypted LUKS volume..." 6 50 0
    		echo "Partition is unmount"
	else
    		echo "Program completed"
	fi
#Case 2 : partition is not mount, ask password, mount, restart the service and display it's status.
else
	PASSWORD=$(whiptail --title "Decrypt partition" --passwordbox "Encryption passphrase" 10 60 3>&1 1>&2 2>&3)
	exitstatus=$?
	if [ $exitstatus = 0 ]; then
    		echo "$PASSWORD" | cryptsetup luksOpen $lvName $luksName
	    	mount /dev/mapper/$luksName $mountPoint
		/etc/init.d/$service restart
		/etc/init.d/$service status
	else
    		echo "You have canceled"
	fi
fi

The alert script

It can happen that a server restarts unexpectedly, that a network storage is inaccessible, that we forget to remount a volume following maintenance… In short, to be alert when your LUKS container is not mounted, I have created the following script, which you will find the explanations and installation information in the comments :

#!/bin/bash

#By Raven - 12/08/2022

#Objective of this script: send an alert email as soon as possible + 1 email every "x" hour if the mount of the encrypted volume is not effective.

#Installation :
#1- Put this script in /usr/local/bin/checkMontageLuks for example.
#2- Modify the luksMapper and mail variables for your needs.
#3- Create the file /usr/local/bin/semaphore.tmp
#4- Create a cron job with the following two lines, to be adapted to your needs :
# */5 * * * * root /usr/local/bin/checkMontageLuks.sh
# * 6,20 * * * root echo "1" > /usr/local/bin/semaphore.tmp


#HOW IT WORKS :
#If our variable sema = 1 it means that the assembly is done.
#
# My algorithm :
#if the mount is active AND sema = 1
#   then do nothing
#else if the mount is active AND sema = 0
#   then we change sema to 1
#else if the mount is inactive AND sema = 1
#   then we set sema to 1 + send an email.
#else if the mount is inactive AND sema = 0
#   then do nothing
#
# We set the sema to 1 with a cron task every "x" hour to limit the mail flow to 2 mails per day in case of unmount.
# You can vary this cron task to choose the number of alert emails per day.

##### PARAMETERS TO ADAPT
luksMapper=/dev/mapper/datasLuks
sema=/usr/local/bin/semaphore.tmp
mail=
serverName=
#####

if grep -qs $luksMapper /proc/mounts && grep -qs 0 $sema ; then
	echo "1" > /usr/local/bin/semaphore.tmp
elif ! grep -qs $luksMapper /proc/mounts && grep -qs 1 $sema ; then
	echo "0" > /usr/local/bin/semaphore.tmp
	echo "Manual action required. Volume $luksMapper not mounted !" | mail -s "$serverName : Encrypted volume not mounted !" $mail
fi

This article allows me to close my LUKS presentation and you can find these scripts on my github right here .