[systemd-devel] Questions on setting up a Truecrypt volume management service

Mon Oct 15 12:49:52 PDT 2012

On 10/15/2012 04:42 AM, Jakob Hetzelein wrote:
> Dear list,
> 
> since there don't seem to be many people around worrying about the
> interaction between *Truecrypt and systemd*, I recently encountered the
> problem of incorporating the mounting of my home directory neatly into
> systemd's start up process. Since I use Arch, I mainly found information
> on the respective¹ forums². Although this helped quite a lot, there are
> still some questions open and I wanted to ask for some assistance here:
> 
> Which way would you recommend to use to mount an encrypted filesystem in
> the boot process using systemd?
> 
> 1. Instinctively, I'd go for *fstab*, but that didn't work out. The
> fstab way described in the Arch wiki³ works with sysv, but not with
> systemd: I presume this is due to StandarInput not being given to tty in
> the mount scripts. Is that possible somehow? When using truecrypt, it is
> paramount to be able to enter the password/keyfiles while mounting the
> volume, thus StandardInput=tty(-force) might be necessary at some pount
> in the .mount mechanism, but I don't know where.
> 
> 2. The other way I'm using so far is by using a *truecrypt.service*. I
> put my ideas into the arch wiki⁴ but think it's worth to reproduce them
> here:
> 
> ========================================================================
> [Unit]
> Description=Truecrypt volume manager
> ConditionPathExists=!/home/MOUNTPOUNT
> #Before=mpd.service
> 
> [Service]
> Type=oneshot
> StandardInput=tty-force
> ExecStart=/usr/bin/truecrypt -t /dev/sdXY /home/
> RemainAfterExit=yes
> ExecStop=/usr/bin/truecrypt -t -d
> TimeOutSec=5
> 
> [Install]
> WantedBy=multi-user.target
> ========================================================================
> 
> Mounting works fine, about the unmounting I'm not so sure but according
> to the logs it should be ok, too (there's not much in them except for a
> few echos I put in the beginning and end of ExecStop (separated by ;)
> 
> But here, my questions are:
> 
> a) Do you consider this a sound service?
> b) Should I change _WantedBy_ to _local-fs.target_ or any other target?
> c) Should I insert an _After_ line?
> d) As you can see, I use mpd and thus have included a
> _Before=mpd.service_ line in order to let mpd wait for this service to
> finish loading. I think that is fine and should also determine the
> shutdown process to proceed in the reverse order, right?
> 
> ¹ https://bbs.archlinux.org/viewtopic.php?id=142289
> ² https://bbs.archlinux.org/viewtopic.php?id=149269
> ³ https://wiki.archlinux.org/index.php/Truecrypt#Mount_volumes_via_fstab
> ⁴
> https://wiki.archlinux.org/index.php/Systemd/Services#truecrypt_volume_manager
> 
> Best wishes and thanks for your help in advance,
> 
> Jakob
> 
> 

You might have more success if you treat truecrypt more like cryptsetup in that
it only handles mapping a block device to /dev/mapper/*. You can do this with
the --filesystem=none option. Then you can have a truecrypt at .service which looks
a lot like the systemd-cryptsetup at .service. The mounting from
/dev/mapper/truecrypt* can then be placed in /etc/fstab as normal.

One odd thing to note though is that truecrypt fails if the loop.ko module isn't
loaded (maybe only when using a file-based container). It isn't loaded on demand
as it can/should be.