I'm curious if it is possible to mount a partition encrypted by cryptsetup with LUKS securely and automatically on Ubuntu 10.0.4 LTS.
For example, if I use the key for the encrypted partition, than that key has to be presented on a device that is not encrypted and if someone steals my disk they'll be able to find the key and decrypt the partition.
Is there any safe way to mount an encrypted partition? If not, does anything exist to do what I want?
Like with your house or car, the only way to keep your data secure is to not leave your keys laying around... This kind of precludes automatic boot, unless you were to do something like seriously secure a key server, say by building it into a wall or pouring it into the foundation? :-)
I, personally, have done two different things in this situation. One of my machines has a remote KVM card in it, so when it boots I can login via the KVM and enter the crypto password. Another I have an unencrypted root partition, then store the security-important data on another partition that I have to ssh in and decrypt/mount. I am mostly worried about someone breaking in and stealing the box and then getting access to all this private data.
Yes, it is possible -- you can store the key in an encrypted home directory, or on the LVM-encrypted system volume, for example. However, both of these require you to decrypt the partition where the key is stored at some point -- if you're looking for unattended secure mount of an encrypted device at boot, that's much more of a challenge. See this question for a discussion.
We use encrypted LVM system drives a lot, and while it's a bit of a pain to have to enter the password at boot time, it means we can reasonably secure the disk (and any other encrypted devices, partitions, or volumes we want to mount) in the event of physical loss or theft. Doesn't help secure a running system a bit, though.
