[systemd-devel] What's the correct way to configure encrypted volume and mount point?

John Lane systemd at jelmail.com
Sat Jan 31 03:21:32 PST 2015

On 31/01/15 10:25, John Lane wrote:
> On 30/01/15 09:49, Jan Janssen wrote:
>> But really: why not use automounting logic in fstab?:
>>     /dev/mapper/data /home/myuser/data ext4 noauto,x-systemd.automount 0 0
>> No need to manually trigger a mount. And you can even use "noauto" in
>> crypttab so that the encrypted device is only opened once the mount point is
>> accessed the first time.
> Thanks Jan. as it happens, I've just been trying automount as a
> solution before I read your answer ;)
> But it leads me on to another question, if that's ok...
> I've set up an encrypted volume configured in crypttab/fstab with
> key/header on a path that is automounted.
> That path is on a encrypted removable usb "keyring" that's inserted at
> boot and everything works: the keyring is unlocked (passphrase
> requested) and mounted and then the other volumes are unlocked using
> their key/header on the keyring and mounted.
> However, after boot I want to pull out the keyring (it's only needed
> for the key/header during systemd-cryptsetup).
> But when I do this, the encrypted volume is unmounted and I don't want
> this to happen.
> Here's what I have in crypttab:
> |# <name>  <device>           <password>             <options>
> keyring   PARTLABEL=keyring  none                   noauto
> abc       /dev/lvm/abc       /root/keyring/abc.key  header=/root/keyring/abc.hdr
> xyz       /dev/lvm/xyz       /root/keyring/xyz.key  header=/root/keyring/xyz.hdr|
> and fstab:
> | <file system>     <dir>         <type>    <options>
> /dev/mapper/keyring /root/keyring ext4      ro,noauto,x-systemd.automount
> /dev/mapper/abc     /srv/abc      ext4
> /dev/mapper/xyz     /srv/xyz      ext4|
> I don't want to lose abc and xyz when I pull out keyring.
> I think it might be due to the
> "RequiresMountsFor=/root/keyring/abc.key" entries that systemd
> generates in the cryptsetup unit.
> I have tried using a drop-in to cancel that option:
> [Unit]
> RequiresMountsFor=
> but that didn't affect the setting, as I verified with
> $ systemctl daemon-reload
> $ systemctl show systemd-cryptsetup\@abc --property RequiresMountsFor
> RequiresMountsFor=/root/keyring/abc.key
> Do you know if/how I can achieve this functionality?
> Much appreciated,
> John
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Further to this, I tried manually creating a systemd-cryptsetup unit
instead of putting an entry in /etc/crypttab.
This allowed me to remove the "RequiresMountsFor" entry.

By doing this, removing the keyring doesn't unmount the encrypted volumes.

The unit I used looks like this:
/etc/systemd/system/systemd-cryptsetup at .service

    Description=Cryptography Setup for %I
    Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup at .service(8)

    ExecStart=/usr/lib/systemd/systemd-cryptsetup attach '%i'
'/dev/lvm/%i' '/root/keyring/%i.key' 'header=/root/keyring/%i.hdr'
    ExecStop=/usr/lib/systemd/systemd-cryptsetup detach '%i'


I wonder if it's possible for an /etc/crypttab option to soften the
requirement for the mount to something like "StartRequiresMountsFor"...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150131/07a630e6/attachment.html>

More information about the systemd-devel mailing list