One hour hacks: Remote LUKS over SSH

I have a GNU/Linux server which I mount a few LUKS encrypted drives on. I only ever interact with the server over SSH, and I never want to keep the LUKS credentials on the remote server. I don’t have anything especially sensitive on the drives, but I think it’s a good security practice to encrypt it all, if only to add noise into the system and for solidarity with those who harbour much more sensitive data.

This means that every time the server reboots or whenever I want to mount the drives, I have to log in and go through the series of luksOpen and mount commands before I can access the data. This turned out to be a bit laborious, so I wrote a quick script to automate it! I also made sure that it was idempotent.

I decided to share it because I couldn’t find anything similar, and I was annoyed that I had to write this in the first place. Hopefully it saves you some anguish. It also contains a clever little bash hack that I am proud to have in my script.

Here’s the script. You’ll need to fill in the map of mount folder names to drive UUID’s, and you’ll want to set your server hostname and FQDN to match your environment of course. It will prompt you for your root password to mount, and the LUKS password when needed.

Example of mounting:

Running on: myserver...
[sudo] password for james: 
Mount/Unmount [m/u] ? m
music: mkdir ✓
LUKS Password: 
music: luksOpen ✓
music: mount ✓
files: mkdir ✓
files: luksOpen ✓
files: mount ✓
photos: mkdir ✓
photos: luksOpen ✓
photos: mount ✓
Connection to closed.

Example of unmounting:

Running on: myserver...
[sudo] password for james: 
Sorry, try again.
[sudo] password for james: 
Mount/Unmount [m/u] ? u
music: umount ✓
music: luksClose ✓
music: rmdir ✓
files: umount ✓
files: luksClose ✓
files: rmdir ✓
photos: umount ✓
photos: luksClose ✓
photos: rmdir ✓
Connection to closed.

It’s worth mentioning that there are many improvements that could be made to this script. If you’ve got patches, send them my way. After all, this is only a: one hour hack.

Happy hacking,


PS: One day this sort of thing might be possible in mgmt. Let me know if you want to help work on it!

7 thoughts on “One hour hacks: Remote LUKS over SSH

    • Looks cool, except this (tang) works in the reverse direction (server contacts keystore) where as in my case I don’t want my “secure” laptop to over allow incoming traffic.

      • Tang was designed for the bootup sequence – hard to push in the boot sequence. The incoming traffic is the response traffic.

        You are ssh-ing into the server – so that’s a incoming connection as well.

        Confused ;)

      • Tang looks like a lovely thing, it just doesn’t do (at the moment) what I was looking for.
        I’m not solving anything to do with the boot up problem; this script is useful once a machine is already up for mounting drives to an already running OS.

  1. Pingback: Links 26/4/2016: Firefox 46.0, Thunderbird’s Stewardship | Techrights

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s