[systemd-devel] the correct way to define crypt partitions, going forward
Mantas Mikulėnas
grawity at gmail.com
Fri Jan 22 09:23:53 PST 2016
On Fri, Jan 22, 2016 at 1:55 PM, Jonathan Dowland <
jon+systemd-devel at alcopop.org> wrote:
> Hi, [please CC me on replies if possible],
>
> I have several LUKS-encrypted volumes, upon which I have placed LVM PVs.
> Prior to systemd, I would define them in /etc/crypttab. Right now, due
> to systemd-cryptsetup-generator, this gets interpreted and translated
> into systemd units.
>
> I am wondering whether crypttab should be considered deprecated and
> whether it would be better practice for new volumes to be defined soley
> as systemd units. Is the plan for the crypttab-generator to go away
> eventually?
>
AFAIK, neither fstab nor crypttab are going away anytime soon.
To activate my filesystems, the steps are
>
> 1. cryptsetup luksOpen <backing device>
> 2. vgchange -a y <relevant VG name>
> 3. mount <mountpoint>
>
> I know to create a systemd-cryptsetup at XYZ.service unit and a
> somepath.mount.unit to cover 1. and 3. above. But should I define a
> service for 2., or handle it with ExecStartPost= in the cryptsetup
> service definition?
>
> I'm leaning towards the former, because one also needs to handle
> vgchange -a n prior to luksClose, but I'd appreciate your opinions (it
> might just be a matter of style).
>
Some distros have started using lvmetad to set up LVM in a more hotplug
manner – it should work here as well.
> Finally, does anyone have a good solution for multiplexing the
> decrypting of dm-crypt partitions that happen to have the same
> passphrases? In normal operation I have 2 such devices that I do not
> want to mount at boot-time (as that is headless/unattended), but I do
> want to mount (manually) in normal operation. It would be convenient to
> only type my passphrase once. Is this something the passphrase-asking
> logic in systemd can or could support? Should I be looking at key files
> instead?
>
systemd-ask-password(1) mentions being able to cache passwords in a kernel
keyring, but I'm not sure if systemd-cryptsetup actually makes use of that.
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20160122/5a0a0ded/attachment-0001.html>
More information about the systemd-devel
mailing list