[pkg-cryptsetup-devel] Bug#917067: Bug#917067: cryptsetup-bin: Opening a LUKS image which resides inside of the /home/ partition

Mikhail Morfikov mmorfikov at gmail.com
Sat Dec 22 15:35:59 GMT 2018


On 22/12/2018 16:11, Guilhem Moulin wrote:
> If having a key file is acceptable to you, the following crypttab(5)
> snippet should be enough for systemd to map the device once /home has
> been mounted:
> 
>     some_img  /home/me/luks/some.img  /path/to/key/file  luks
> 
I don't really want to use keyfiles.

Actually my current setup is pretty good, I mean the real devices are opened
without any issues (using the /etc/crypttab file). I also have the following
systemd service for the LUKS images:

-----------
[Unit]
Description=Cryptography Setup for %I
DefaultDependencies=no
IgnoreOnIsolate=true
After=cryptsetup-pre.target
Before=media-luksimg.mount
Before=umount.target shutdown.target
Conflicts=umount.target shutdown.target
RequiresMountsFor=/home/me/luks/some.img

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=30
KeyringMode=shared
ExecStart=/usr/sbin/cryptdisks_start luksimg
ExecStop=/usr/sbin/cryptdisks_stop luksimg
-----------

This simply waits for /home/me/luks/some.img to be accessible, and then it uses
cryptdisks_start to unlock the image using the password from the kernel keyring,
and I don't have to type the password again when the service is started.

Anyways I think crypttab should have such functionality built it (if possible),
so everything could be set up in the /etc/crypttab file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20181222/676ddb5f/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list