[systemd-devel] How to automatically decrypt a disk on connection

Orion Poplawski orion at nwra.com
Tue Mar 26 21:34:31 UTC 2024


Sorry this isn't strictly devel - but it is a bit non-standard.

I need to automatically unlock an encrypted disk on connection to a machine,
with the caveat that I'm not mounting it - instead I want to connect it to a VM.

On machines that we do mount the filesystem, having an fstab entry seems to be
the key to get the systemd-cryptsetup at luks-UUID service to fire and get the
disk decrypted.  But lacking that I'm not sure how to get it to trigger.

I do have an entry for the disk in /etc/crypttab:

luks-16f5b686-8669-407b-920d-427fa8b81328
UUID=16f5b686-8669-407b-920d-427fa8b81328 none _netdev

My current plan had been to use a udev rule to attach the disk to the VM:

ACTION=="change", SUBSYSTEM=="block", ENV{ID_FS_LABEL}=="WEEKLY",
RUN+="/usr/bin/virsh attach-disk VM %E{DEVNAME} sdc --live"

But perhaps if I have a unit that was dependent on the cryptsetup service much
like a mount unit may have(?) that could get cryptsetup to fire as well.

This is with systemd-252-18.el9.x86_64

I tried having a udev rule that started the specific
systemd-cryptsetup at luks-UUID service, but that failed:

Mar 26 11:49:43 systemd[1]: Unnecessary job was removed for Expansion
Linux\x20filesystem.
Mar 26 11:49:43 systemd[1]:
systemd-cryptsetup at luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b
81328.service: Bound to unit
dev-disk-by\x2duuid-16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.
device, but unit isn't active.
Mar 26 11:49:43 systemd[1]: Dependency failed for Cryptography Setup for
luks-16f5b686-8669-407b-9
20d-427fa8b81328.
Mar 26 11:49:43 systemd[1]:
systemd-cryptsetup at luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b
81328.service: Job
systemd-cryptsetup at luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.ser
vice/start failed with result 'dependency'.

I guess because it runs too soon and the dev-disk-by-uuid device isn't present
yet.  I can get it to unlock by starting that service later.  Note that
actually unlocking is handled by clevis.

Debug logs from when the disk is attached:

Mar 26 14:27:24 systemd[1]: sde: Processing udev action (SEQNUM=7177, ACTION=add)
Mar 26 14:27:24 systemd[1]:
sys-devices-pci0000:00-0000:00:02.0-0000:05:00.0-0000:06:02.0-0000:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host3-target3:0:0-3:0:0:0-block-sde.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: dev-disk-by\x2ddiskseq-37.device: Changed dead ->
plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-usb\x2dSeagate_Expansion_NA8JP0EX\x2d0:0.device: Changed
dead -> plugged
Mar 26 14:27:24 systemd[1]: dev-disk-by\x2did-scsi\x2d1NA8JP0EX.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2dpath-pci\x2d0000:08:00.0\x2dusb\x2d0:1:1.0\x2dscsi\x2d0:0:0:0.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2duuid-632f39d7\x2dc5d1\x2d4d72\x2d8939\x2dc1e65ce09255.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-scsi\x2dSSeagate_Expansion_NA8JP0EX.device: Changed dead ->
plugged
Mar 26 14:27:24 systemd[1]: dev-sde.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-scsi\x2d33e41384a50304558.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484742
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484743
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484744
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484745
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484746
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484747
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484748
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484749
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484750
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: sde1: Processing udev action (SEQNUM=7178, ACTION=add)
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-wwn\x2d0x3e41384a50304558\x2dpart1.device: Changed dead ->
plugged
Mar 26 14:27:24 systemd[1]:
sys-devices-pci0000:00-0000:00:02.0-0000:05:00.0-0000:06:02.0-0000:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host3-target3:0:0-3:0:0:0-block-sde-sde1.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2dpath-pci\x2d0000:08:00.0\x2dusb\x2d0:1:1.0\x2dscsi\x2d0:0:0:0\x2dpart1.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-scsi\x2d33e41384a50304558\x2dpart1.device: Changed dead ->
plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-scsi\x2dSSeagate_Expansion_NA8JP0EX\x2dpart1.device: Changed
dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-scsi\x2d1NA8JP0EX\x2dpart1.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: dev-sde1.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484751 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484752 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2duuid-16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2dpartuuid-a53e8ff9\x2dcc81\x2d468d\x2dbbee\x2db029df8678d8.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]:
dev-disk-by\x2did-usb\x2dSeagate_Expansion_NA8JP0EX\x2d0:0\x2dpart1.device:
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484753 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484754 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484755
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484756
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484757
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484758
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484759
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484760
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484761
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484762
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager member=UnitNew cookie=484763
reply_cookie=0 signature=so error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484764 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a
destination=n/a
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
cookie=484765 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a

-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3826 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240326/660fc795/attachment.bin>


More information about the systemd-devel mailing list