[systemd-devel] Questions on setting up a Truecrypt volume management service

Mon Oct 15 08:28:38 PDT 2012

On Mon, 15.10.12 11:42, Jakob Hetzelein (nasenatmer at posteo.de) wrote:

> Dear list,
> 
> since there don't seem to be many people around worrying about the
> interaction between *Truecrypt and systemd*, I recently encountered the
> problem of incorporating the mounting of my home directory neatly into
> systemd's start up process. Since I use Arch, I mainly found information
> on the respective¹ forums². Although this helped quite a lot, there are
> still some questions open and I wanted to ask for some assistance here:
> 
> Which way would you recommend to use to mount an encrypted filesystem in
> the boot process using systemd?

We'd recommend following a scheme similar to what we implemented for
LUKS here: at boot (and config reload), a small generator tool converts
/etc/crypttab into native systemd units which are pulled in as
necessary. Querying for passwords is done via the password agent logic
implemented in systemd, which is enough to make things work correctly if
Plymouth is used, i.e. the password prompt is properly brought to the
screen regardless whether you use a text-only boot, or a graphical boot
via plymouth.

http://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
http://www.freedesktop.org/wiki/Software/systemd/Generators
http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents

> 1. Instinctively, I'd go for *fstab*, but that didn't work out. The
> fstab way described in the Arch wiki³ works with sysv, but not with
> systemd: I presume this is due to StandarInput not being given to tty in
> the mount scripts. Is that possible somehow? When using truecrypt, it is
> paramount to be able to enter the password/keyfiles while mounting the
> volume, thus StandardInput=tty(-force) might be necessary at some pount
> in the .mount mechanism, but I don't know where.

We don't really support interactive scripts like this. Please use the
password agent logic instead. "systemd-ask-password" is a command line
tool to make use of this, which is easily used from shell scripts.

> But here, my questions are:
> 
> a) Do you consider this a sound service?

I guess, but we can only advise against using StandardInput=tty... Also,
you probably want to make this an early-boot service, so that this is
fully initialized by the time the main system services are spawned. Use
DefaultDependencies=no for that.

> b) Should I change _WantedBy_ to _local-fs.target_ or any other
> target?

This really depends on your usage. local-fs.target sounds like a good
idea though, but only if you use DefaultDependencies=no. That's because
local-fs.target is ordered before basic.target, and services with the
default of DefaultDependencies=yes will get ordered after that. Hence
you would create a dep loop here.

Instead of appropriating local-fs.target for this you might choose to
appropriate cryptsetup.target for this instead, or introduce your own
truecrypt.target.

Also see:

http://www.freedesktop.org/software/systemd/man/bootup.html

> c) Should I insert an _After_ line?

This might make sense to ensure that your service is only run after the
low-level device showed up.

> d) As you can see, I use mpd and thus have included a
> _Before=mpd.service_ line in order to let mpd wait for this service to
> finish loading. I think that is fine and should also determine the
> shutdown process to proceed in the reverse order, right?

mpd is a normal service, hence if you follow the advice regarding
DefaultDependencies= above you don't need any special ordering.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.