Sure, @secblocks. You need at least three things to decrypt a block device:
- The encrypted block device
- A passphrase or key for the encrypted block device
- The decrypted block device
You give cryptsetup this information through arguments on the command line. But you have to run cryptsetup manually at exactly the right time for everything to work.
The /etc/crypttab file uses the same information and does the same thing as the cryptsetup command. But Linux reads /etc/crypttab and decrypts devices at the right time, automatically.
For example, this /etc/crypttab content would tell Linux to mount your encrypted block device during startup:
# /etc/crypttab
# decrypted-device encrypted-device key-file
backups /dev/xvdi /etc/cryptsetup-keys.d/backups.key
When Linux starts, it will read /etc/crypttab, decrypt /dev/xvdi with the passphrase in /etc/cryptsetup-keys.d/backups.key, and create a block device to the decrypted data at /dev/mapper/backups.
For this to work, you need to copy the passphrase for your encrypted USB drive into /etc/cryptsetup-keys.d/backups.key.
Now, both /etc/crypttab and /etc/cryptsetup-keys.d/backups.key must be persistent in the Qubes VM. This is a little tricky to get right the first time.
To persist these files in backup-vm, you need to use the bind-dirs method I described earlier. But you can take a shortcut just to test your /etc/crypttab configuration. Try creating a standalone VM. Open the Create Qubes VM tool, select “Standalone qube copied from a template” from the type menu, then select the template that backup-vm is based on. Call this temporary, test-only VM backup-standalone. Standalone VMs are entirely persistent. Anything you change or create in the /etc directory will persist across VM restarts.
This configuration probably won’t let you automatically decrypt the device on the first try. Don’t worry, this is just another step in the process. The most important thing now is persisting /etc/crypttab and /etc/cryptsetup-keys.d/backups.key in a VM across restarts. You can do that with bind-dirs on backup-vm, or you create a standalone backup VM. Persistence must work before you can test automatic decryption.