LUKS Scripts

Overview

LUKS (Linux Unified Key Setup) provides full-disk encryption for cold storage on USB drives.

Hardware

Drive	Purpose
Seagate 1.8TB USB #1	Primary cold backup
Seagate 1.8TB USB #2	Secondary cold backup (offsite rotation)

Drive

Purpose

Seagate 1.8TB USB #1

Primary cold backup

Seagate 1.8TB USB #2

Secondary cold backup (offsite rotation)

luks-mount

Opens and mounts LUKS encrypted container.

#!/bin/bash
# luks-mount - Mount LUKS encrypted drive

DEVICE="${1:-/dev/sdb1}"
NAME="${2:-backup-drive}"
MOUNT="${3:-/mnt/backup}"

# Open LUKS container
sudo cryptsetup luksOpen "$DEVICE" "$NAME"

# Mount filesystem
sudo mount /dev/mapper/"$NAME" "$MOUNT"

echo "Mounted $NAME at $MOUNT"

Usage

luks-mount                    # Use defaults
luks-mount /dev/sdc1          # Specify device
luks-mount /dev/sdc1 backup2  # Specify name

luks-umount

Unmounts and closes LUKS container securely.

#!/bin/bash
# luks-umount - Unmount LUKS encrypted drive

NAME="${1:-backup-drive}"
MOUNT="${2:-/mnt/backup}"

# Sync and unmount
sync
sudo umount "$MOUNT"

# Close LUKS container
sudo cryptsetup luksClose "$NAME"

echo "Closed $NAME"

luks-backup

Performs backup to cold storage.

#!/bin/bash
# luks-backup - Backup secrets to cold storage

BACKUP_MOUNT="/mnt/backup"

# Verify mount
if ! mountpoint -q "$BACKUP_MOUNT"; then
    echo "Error: $BACKUP_MOUNT not mounted"
    exit 1
fi

# Backup Age keys
rsync -av --delete ~/.secrets/.age/ "$BACKUP_MOUNT"/secrets/age/

# Backup SSH keys
rsync -av --delete ~/.ssh/ "$BACKUP_MOUNT"/secrets/ssh/

# Backup GPG keys
gpg --export-secret-keys --armor > "$BACKUP_MOUNT"/secrets/gpg/secret-keys.asc

# Backup gocryptfs master keys
for vault in credentials work-sensitive network-configs personal; do
    cp ~/atelier/_vaults/$vault/gocryptfs.conf "$BACKUP_MOUNT"/secrets/vaults/$vault.conf
done

# Record backup date
date > "$BACKUP_MOUNT"/secrets/last-backup.txt

echo "Backup complete: $(date)"

LUKS Administration

Create New LUKS Container

# Create LUKS2 container with Argon2id
sudo cryptsetup luksFormat --type luks2 \
    --pbkdf argon2id \
    --pbkdf-memory 1048576 \
    --pbkdf-parallel 4 \
    /dev/sdX1

# Open new container
sudo cryptsetup luksOpen /dev/sdX1 new-backup

# Create BTRFS filesystem
sudo mkfs.btrfs /dev/mapper/new-backup

# Mount and create subvolumes
sudo mount /dev/mapper/new-backup /mnt/new
sudo btrfs subvolume create /mnt/new/@backups
sudo btrfs subvolume create /mnt/new/@secrets
sudo btrfs subvolume create /mnt/new/@recovery

Add Backup Key

# Add recovery passphrase
sudo cryptsetup luksAddKey /dev/sdX1

Header Backup

# Backup LUKS header (critical for recovery)
sudo cryptsetup luksHeaderBackup /dev/sdX1 \
    --header-backup-file luks-header-backup.bin