LUKS Notes

Generally, you shoudn't need much beyond the mailboot script to unlock and mount the partition, but here are a few notes in case you need to do some things manually.

Actions on the LUKS partition are done with the cryptsetup tool. Since you are working with devices, most of these things need to be run as root. The base device contains the ciphertext, the /dev/mapper one is a cleartext block device, and then you mount a regular filesystem from that.

The luksClose command removes the cleartext block device /dev/mapper/vault-blk. You should kill the mail processes and unmount the regular filesystem /vault before doing this.

$ service postfix stop
$ service dovecot stop
$ service rspamd stop
$ service redis-server stop

$ umount /vault
$ cryptsetup luksClose vault-blk

The luksChangeKey command changes the passphrase on an encrypted device. LUKS stores a master key, which is random binary data that is never seen, in a header block for the device which is protected by one or more passphrases.

$ cryptsetup luksChangeKey /dev/sdABC

The mailboot script calls luksOpen to create the cleartext, unlocked device in /dev/mapper where we can then mount the normal file system.

$ cryptsetup luksOpen /dev/sdABC vault-blk
$ mount /vault

The dmsetup command has many other operations on encrypted things.

If you want to nuke a LUKS partition, just run wipefs on the device. With the header gone, the partition is now useless. You may want to back up the header with luksDump.