[systemd-devel] What's the correct way to configure encrypted volume and mount point?
systemd at jelmail.com
Sat Jan 31 03:21:32 PST 2015
On 31/01/15 10:25, John Lane wrote:
> On 30/01/15 09:49, Jan Janssen wrote:
>> But really: why not use automounting logic in fstab?:
>> /dev/mapper/data /home/myuser/data ext4 noauto,x-systemd.automount 0 0
>> No need to manually trigger a mount. And you can even use "noauto" in
>> crypttab so that the encrypted device is only opened once the mount point is
>> accessed the first time.
> Thanks Jan. as it happens, I've just been trying automount as a
> solution before I read your answer ;)
> But it leads me on to another question, if that's ok...
> I've set up an encrypted volume configured in crypttab/fstab with
> key/header on a path that is automounted.
> That path is on a encrypted removable usb "keyring" that's inserted at
> boot and everything works: the keyring is unlocked (passphrase
> requested) and mounted and then the other volumes are unlocked using
> their key/header on the keyring and mounted.
> However, after boot I want to pull out the keyring (it's only needed
> for the key/header during systemd-cryptsetup).
> But when I do this, the encrypted volume is unmounted and I don't want
> this to happen.
> Here's what I have in crypttab:
> |# <name> <device> <password> <options>
> keyring PARTLABEL=keyring none noauto
> abc /dev/lvm/abc /root/keyring/abc.key header=/root/keyring/abc.hdr
> xyz /dev/lvm/xyz /root/keyring/xyz.key header=/root/keyring/xyz.hdr|
> and fstab:
> | <file system> <dir> <type> <options>
> /dev/mapper/keyring /root/keyring ext4 ro,noauto,x-systemd.automount
> /dev/mapper/abc /srv/abc ext4
> /dev/mapper/xyz /srv/xyz ext4|
> I don't want to lose abc and xyz when I pull out keyring.
> I think it might be due to the
> "RequiresMountsFor=/root/keyring/abc.key" entries that systemd
> generates in the cryptsetup unit.
> I have tried using a drop-in to cancel that option:
> but that didn't affect the setting, as I verified with
> $ systemctl daemon-reload
> $ systemctl show systemd-cryptsetup\@abc --property RequiresMountsFor
> Do you know if/how I can achieve this functionality?
> Much appreciated,
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
Further to this, I tried manually creating a systemd-cryptsetup unit
instead of putting an entry in /etc/crypttab.
This allowed me to remove the "RequiresMountsFor" entry.
By doing this, removing the keyring doesn't unmount the encrypted volumes.
The unit I used looks like this:
/etc/systemd/system/systemd-cryptsetup at .service
Description=Cryptography Setup for %I
man:systemd-cryptsetup at .service(8)
ExecStart=/usr/lib/systemd/systemd-cryptsetup attach '%i'
'/dev/lvm/%i' '/root/keyring/%i.key' 'header=/root/keyring/%i.hdr'
ExecStop=/usr/lib/systemd/systemd-cryptsetup detach '%i'
I wonder if it's possible for an /etc/crypttab option to soften the
requirement for the mount to something like "StartRequiresMountsFor"...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemd-devel