udisksctl unlock parameter for keyfiles

David Zeuthen zeuthen at gmail.com
Wed Sep 12 08:09:01 PDT 2012 

Hi,

On Tue, Sep 11, 2012 at 3:17 PM, Sebastian Fischmeister
<sfischme at uwaterloo.ca> wrote:
> Cryptsetup requires root access and I don't want that for my backup
> mechanism. Also I don't want to call sudo in a cron job. The encrypted
> drive should be mountable by a regular user (e.g., automounting an
> encrypted usb stick every 10 min and copy something onto it; I don't
> want to keep the stick mounted).

For the record, you can implement what you want with sudo(8) or
pkexec(1) in a perfectly safe way using a wrapper script. With sudo(8)
you'd just add an entry to /etc/sudoers (or drop a file in
/etc/sudoers.d) - with pkexec(1), you'd define a polkit action for the
wrapper script and write a two-line authorization rule to grant access
to your user. The wrapper script would be really simple - just find
the device, unlock it, mount it, do the backup... then unmount,
unlock, eject or something like this.

The way my personal backup system works is this:

 - I have an eSATA enclosure with 5 x 2TB disks
   - the five disks are in a RAID-5 using Linux Software RAID (MD-RAID)

 - I have configuration for the array in /etc/mdadm.conf
   - so the raid array is assembled when I hotplug the enclosure

 - The RAID-5 array contains a single LUKS device
   - I have configuration in /etc/crypttab
     - with a passphrase-file pointing to /etc/luks/<uuid>
     - (which is not world-readable, obviously)
   - systemd unlocks the LUKS device with it appears (because option
'auto' is used)

 - The filesystem on the LUKS device is reference in /etc/fstab to
mount it at /mnt/beta
   - systemd automounts the filesystem when it appears (because option
'auto' is used)

 - Right now I just run /mnt/beta/do-backup.sh from a terminal
   - but I could easily have a cronjob
   - or a autorun.sh file to make the desktop prompt me to do the backup

Notably, udisks/gnome-disks supports editing fstab and crypttab files, see

 http://davidz25.blogspot.com/2012/03/simpler-faster-better.html

and in GNOME 3.8 / Fedora 19, we'll also support the mdadm.conf /
MD-RAID stuff, see

 https://plus.google.com/u/0/110773474140772402317/posts/DVPpufUA9ur
 http://people.freedesktop.org/~david/gnome-disks-mdraid-20120911-2.png

for work in progress.

Anyway, my point is this - the core OS already contains all the bells
and whistles you need to do this.

    David

More information about the devkit-devel mailing list