[systemd-devel] What's the correct way to configure encrypted volume and mount point?

John Lane systemd at jelmail.com
Sat Jan 31 02:25:07 PST 2015 

On 30/01/15 09:49, Jan Janssen wrote:
>
> But really: why not use automounting logic in fstab?:
>     /dev/mapper/data /home/myuser/data ext4 noauto,x-systemd.automount 0 0
>
> No need to manually trigger a mount. And you can even use "noauto" in
> crypttab so that the encrypted device is only opened once the mount point is
> accessed the first time.
Thanks Jan. as it happens, I've just been trying automount as a solution
before I read your answer ;)

But it leads me on to another question, if that's ok...

I've set up an encrypted volume configured in crypttab/fstab with
key/header on a path that is automounted.
That path is on a encrypted removable usb "keyring" that's inserted at
boot and everything works: the keyring is unlocked (passphrase
requested) and mounted and then the other volumes are unlocked using
their key/header on the keyring and mounted.

However, after boot I want to pull out the keyring (it's only needed for
the key/header during systemd-cryptsetup).
But when I do this, the encrypted volume is unmounted and I don't want
this to happen.

Here's what I have in crypttab:

|# <name>  <device>           <password>             <options>
keyring   PARTLABEL=keyring  none                   noauto
abc       /dev/lvm/abc       /root/keyring/abc.key  header=/root/keyring/abc.hdr
xyz       /dev/lvm/xyz       /root/keyring/xyz.key  header=/root/keyring/xyz.hdr|


and fstab:

| <file system>     <dir>         <type>    <options>
/dev/mapper/keyring /root/keyring ext4      ro,noauto,x-systemd.automount
/dev/mapper/abc     /srv/abc      ext4
/dev/mapper/xyz     /srv/xyz      ext4|


I don't want to lose abc and xyz when I pull out keyring.

I think it might be due to the "RequiresMountsFor=/root/keyring/abc.key"
entries that systemd generates in the cryptsetup unit.
I have tried using a drop-in to cancel that option:

[Unit]
RequiresMountsFor=

but that didn't affect the setting, as I verified with

$ systemctl daemon-reload
$ systemctl show systemd-cryptsetup\@abc --property RequiresMountsFor
RequiresMountsFor=/root/keyring/abc.key

Do you know if/how I can achieve this functionality?

Much appreciated,
John


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150131/39be6e17/attachment.html>

More information about the systemd-devel mailing list