<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jan 22, 2016 at 1:55 PM, Jonathan Dowland <span dir="ltr"><<a href="mailto:jon+systemd-devel@alcopop.org" target="_blank">jon+systemd-devel@alcopop.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, [please CC me on replies if possible],<br>
<br>
I have several LUKS-encrypted volumes, upon which I have placed LVM PVs.<br>
Prior to systemd, I would define them in /etc/crypttab. Right now, due<br>
to systemd-cryptsetup-generator, this gets interpreted and translated<br>
into systemd units.<br>
<br>
I am wondering whether crypttab should be considered deprecated and<br>
whether it would be better practice for new volumes to be defined soley<br>
as systemd units. Is the plan for the crypttab-generator to go away<br>
eventually?<br></blockquote><div><br></div><div>AFAIK, neither fstab nor crypttab are going away anytime soon.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
To activate my filesystems, the steps are<br>
<br>
1. cryptsetup luksOpen <backing device><br>
2. vgchange -a y <relevant VG name><br>
3. mount <mountpoint><br>
<br>
I know to create a systemd-cryptsetup@XYZ.service unit and a<br>
somepath.mount.unit to cover 1. and 3. above. But should I define a<br>
service for 2., or handle it with ExecStartPost= in the cryptsetup<br>
service definition?<br>
<br>
I'm leaning towards the former, because one also needs to handle<br>
vgchange -a n prior to luksClose, but I'd appreciate your opinions (it<br>
might just be a matter of style).<br></blockquote><div><br></div><div>Some distros have started using lvmetad to set up LVM in a more hotplug manner – it should work here as well.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Finally, does anyone have a good solution for multiplexing the<br>
decrypting of dm-crypt partitions that happen to have the same<br>
passphrases? In normal operation I have 2 such devices that I do not<br>
want to mount at boot-time (as that is headless/unattended), but I do<br>
want to mount (manually) in normal operation. It would be convenient to<br>
only type my passphrase once. Is this something the passphrase-asking<br>
logic in systemd can or could support? Should I be looking at key files<br>
instead?<br></blockquote><div><br></div><div>systemd-ask-password(1) mentions being able to cache passwords in a kernel keyring, but I'm not sure if systemd-cryptsetup actually makes use of that.</div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Mantas Mikulėnas <<a href="mailto:grawity@gmail.com" target="_blank">grawity@gmail.com</a>></div></div>
</div></div>