Can cryptsetup read mappings from /etc/crypttab

disk-encryptionluks

I have a virtualized CentOS 7 server that needs to mount multiple password-protected encrypted volumes. I cannot automatically map the devices on boot, because I don't have access to the console during the boot process to enter the decryption password. After I reboot the system, I have to manually run

cryptsetup luksOpen <device> <name>

to map each underlying block device to an encrypted device. That requires keeping notes on the UUID of each underlying block device and the name it maps to. Is there an easy way to automate this process? I can add the information to /etc/crypttab with the noauto keyword to prevent the devices from mounting on boot. However, I can't get cryptsetup to use the information from this file.

It would be great if there were a command like cryptsetup luksOpen <name> that would read /etc/crypttab to find the name of the underlying block device (similar to the way that you can can mount <mountpoint> if is defined in /etc/fstab).

Is there any way to get cryptsetup to read the mappings from /etc/crypttab?

Best Answer

You can use

sudo systemctl start systemd-cryptsetup@<name>

instead of

cryptsetup luksOpen UUID=... <name>

when you have an entry as follows in your /etc/crypttab:

<name> UUID=... none noauto

It will prompt you for the passphrase if needed.

The corresponding unit file is generated automatically by systemd-cryptsetup-generator.

You can list all generated unit files using

systemctl list-unit-files| grep systemd-cryptsetup

Related Solutions

Linux – CentOS / Redhat 6 Mount Encrypted Partition After Boot

You need to add the noauto option to the filesystem in your fstab. That will prevent the automounter, or anything that calls or simulates a mount -a, from mounting it. However, since auto is part of the defaults option set, you should replace it entirely with the explicit options, minus auto. Pulling the full set from the man page, your new entry should look something like:

/dev/mapper/luks-4fa25d53-0dcd-44ab-9f4d-bee5d6f90fce /sec   ext4    rw,suid,dev,exec,nouser,async,noauto     1 2

Now, whether including dev, suid, and exec are appropriate for your file system is something you should consider.

Centos – Automounting encrypted filesystem (using random key), residing in regular file under CentOS 6.*

The following /etc/crypttab entry is how you'd do it in Ubuntu:

# <target name>  <source device>                      <key file>    <options>
cfs              /var/file-with-encrypted-filesystem  /dev/urandom  tmp=ext4

Very similar to how crypted swap is handled - see the crypttab manpage example below:

# Encrypted swap device
cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap

Does the manpage on CentOS for crypttab provide any guidance on doing this? Don't have a CentOS machine around at the moment, but on a RHEL 6 machine the same options are supported.

OK fine, I was curious. This works and it's a little nicer. Put it somewhere like /etc/rc.local. Tested on RH 6:

LODEV=$(losetup -f)
losetup $LODEV /path/to/existing/cryptfile
cryptsetup create cfs $LODEV --key-file /dev/urandom
mkfs.ext2 /dev/mapper/cfs 
mount /dev/mapper/cfs /wherever

Best Answer

Related Solutions

Linux – CentOS / Redhat 6 Mount Encrypted Partition After Boot

Centos – Automounting encrypted filesystem (using random key), residing in regular file under CentOS 6.*

Related Topic