LUKS setup for /var/lib/postgresql

When to use it

• Physical hardware where the disk could be removed or imaged.
• Hosts where "someone with root" is a realistic threat model and you want defence-in-depth.
• Compliance regimes that require encryption at rest (HIPAA, PCI-DSS).

When to skip it

• Cloud VMs where the provider already encrypts volumes (EBS, Azure Managed Disks).
• Hosts that already use full-disk encryption at the OS-install layer.
• Ephemeral lab / demo machines.

Even without LUKS, the other three layers (field encryption, hash-chain tamper detection, SCRAM-SHA-256 localhost-only access) still apply.

What you need

• A second block device (/dev/sdb, /dev/nvme1n1, etc.) of at least 20 GB.
• A passphrase of at least 12 characters that you can remember or securely store.
• Meridian already installed and at least one pre-LUKS backup in hand.

Walkthrough

1. Confirm the device. lsblk to see what's attached. Make sure you know which device is the target and that it holds nothing you want.
2. Take a full backup including keys:

   sudo /opt/meridian/scripts/backup.sh --include-keys --output /root/

3. Run the setup script:

   sudo /opt/meridian/scripts/setup_luks.sh /dev/sdb

4. Type the exact device path when prompted to confirm destruction.
5. Enter a 12+ character passphrase twice.
6. The script: stops PostgreSQL → stages existing data to /var/lib/meridian/tmp/ → formats the device LUKS2 with aes-xts-plain64 512-bit + argon2id PBKDF → opens it as /dev/mapper/meridian-pg → mkfs.ext4 → mounts at /var/lib/postgresql → rsyncs data back → adds entries to /etc/crypttab and /etc/fstab → starts PostgreSQL.
7. After it finishes, the staging copy is preserved in case anything went wrong. Once you've verified the portal is healthy (sudo /opt/meridian/scripts/health_check.sh), remove it:

   sudo rm -rf /var/lib/meridian/tmp/pg-preluks-*

What the config actually looks like

After setup, /etc/crypttab has:

meridian-pg  UUID=<UUID>  none  luks,discard

And /etc/fstab has:

/dev/mapper/meridian-pg  /var/lib/postgresql  ext4  defaults,noatime  0 2

Boot-time passphrase handling

By default the passphrase is asked on every boot. For unattended reboots you have two options:

TPM2 auto-unlock (recommended)

If the host has a TPM2 chip, bind the LUKS key slot to it with systemd-cryptenroll:

sudo systemd-cryptenroll --tpm2-device=auto \
     --tpm2-pcrs=7+11 /dev/sdb

# Update /etc/crypttab to use the TPM:
#   meridian-pg  UUID=<UUID>  none  luks,discard,tpm2-device=auto

PCR 7 binds to Secure Boot policy; PCR 11 binds to the kernel image. Changing either (e.g., installing a rootkit) breaks the unlock.

Keyfile on a separate encrypted volume

Viable in controlled physical-access environments but weaker than TPM because the keyfile is only as safe as its container. Not documented in detail here; see the Debian cryptsetup guide.

Rotating the passphrase

sudo cryptsetup luksChangeKey /dev/sdb
# or add a second key slot before removing the old:
sudo cryptsetup luksAddKey /dev/sdb
sudo cryptsetup luksKillSlot /dev/sdb 0

Emergency recovery

If you lose the passphrase and haven't enrolled TPM/keyfile, the data is permanently unrecoverable. Restore from a backup bundle onto a new host. Always keep at least one recent backup.sh --include-keys tarball in secure offsite storage.