Script request: Auto attach, and mount encrypted data drive

I’m looking for a script that will streamline my startup. Attaching, mounting, and decrypting my data disks is a good deal of friction for each startup.

I’m looking for a scripting solution that will:

Find the data drives with a specific label or id.
Attach the data drives to specific qubes.
Mount the Luks encrypted data drives in those qubes.
Decrypt the Luks encrypted data drives.

…And do it all from the backend, without user input.

Any script wizards want to take it on? I’m sure others are looking for a similar solution, and will be eternally grateful to you for the time/energy your script saves them.

What are you using to encrypt/decrypt your data drives?
Are your data drives USB or built in/SATA?

Food for thought: What is the point of encrypting drives if they auto decrypt when plugged in?

1 Like

Here’s what I do to auto mount an internal sd card. I assume it would work the same for usb devices but I haven’t tried. Also I don’t know how to attach a drive to more than one app vm at a time. If I really need to I can manually switch the drive to another appvm.

in dom 0

qvm-block attach --persistent vault dom0:mmcblk0p1

use qvm-usb if using a usb drive. Also substitute Appvm of your choice and the drive your using. I choose my Vault vm because I use it to decrypt the drive and I think using a vm with no internet improves security.

I set up vault to auto mount the drive with a key file putting this command in /rw/config/rc.local in my vault vm

cryptsetup -d /home/user/Documents/luks-keys/mybackup_key luksOpen /dev/xvdi xvdi_crypt

In qubes 4.1 when a drive is decrypted but not mounted the drive becomes available to be mounted on a different app vm than it was decrypted with.

my qubes shows a drive vault:dm-0

From there I attach the new drive to personal

qvm-block attach --persistent personal vault:dm-0

last I mount the drive putting this command in /rw/config/rc.local on personal

mount /dev/xvdi /home/user/SDCard

The vault vm has to be started before personal for personal to be able to start. I just have my vault vm start at boot.

Hi Cody… I’m using external SSDs thru the USB port.

What is the point? Well, that auto decrypt script is on the primary HD, buried under several layers of encryption already. You can’t get to it without some creds beforehand. The external drive is encrypted for obvious reasons.

These are external USB drives. And the problem I’m having is auto attaching the drive to the Qube. All the methods I found on the forum didn’t work. The problem is getting the sys-usb:#:# attached to the drive name.

When turning on/off Wifi the sys-usb state changes. If there was some way to parse out the drive ID from the name, then the script could retrieve the current sys-usb:#:# and attach using terminal command. So far, no %$$^ luck getting this to work.

Next the Luks mount and decrypt thru terminal… so far, I just can’t get it to work…my syntax is off… and I give up trying.

I’ve resorted to loading Nautilus and attaching thru the UI (egaddsss).

Rather than fight with it, I’ll pay a script wizard some ZEC if they can give me the functionality I want.

Which is… when the data drives are plugged in and seen plugged in to sys-usb, auto attach to work qube (or qube defined in a param setting). Mount. Decrypt. That should be that hard right?

1 Like

Not sure how to mount LUKS from command line. Google search yields a lot of results for debian/ubuntu but I haven’t tried them myself. If you can make it work in terminal for your VM OS, you could throw it in a start-up script and it would be handled.

The hardest piece of your script is “when the drive is attached”. If it was attached at boot, I would agree that it wouldn’t be that difficult if you have the right commands. I also don’t think there’s any functionality to auto attach usb devices through Qubes due to the security risk of it. Good luck!

Okay…doesn’t have to be when the drive is attached… that would require a background process I believe… and that’s overkill.

When the script is run, it scans the sys-usb devices, and looks for matching drives specified in the script params. If it finds them, then it parses the current drive ID, and attaches. (The drive ID state changes… and I couldn’t figure out how to parse the ID from the name.)

In terms of attaching and decrypting Luks thru terminal… I don’t know what I’m doing wrong… but carefully following the commands I’ve found online, I don’t get any errors, but can’t navigate to the decrypted space thru Nautilus or any other file browser.

I resort currently to loading Nautilus, then manually attaching the drive, then manually clicking on the drive, and entering the password.

…This will not work for my heavy data drive dependent workflow… I need a streamlined, automated solution… I solution so that I can use the script with other scripts that have to use the data drives.

Tnanks… looking at it now.