[systemd-devel] How to automatically decrypt a disk on connection

Wed Mar 27 14:36:06 UTC 2024

On 3/27/24 07:29, Andrei Borzenkov wrote:
> On Wed, Mar 27, 2024 at 12:35 AM Orion Poplawski <orion at nwra.com> wrote:
>>
>> Sorry this isn't strictly devel - but it is a bit non-standard.
>>
>> I need to automatically unlock an encrypted disk on connection to a machine,
>> with the caveat that I'm not mounting it - instead I want to connect it to a VM.
>>
>> On machines that we do mount the filesystem, having an fstab entry seems to be
>> the key to get the systemd-cryptsetup at luks-UUID service to fire and get the
>> disk decrypted.  But lacking that I'm not sure how to get it to trigger.
>>
>> I do have an entry for the disk in /etc/crypttab:
>>
>> luks-16f5b686-8669-407b-920d-427fa8b81328
>> UUID=16f5b686-8669-407b-920d-427fa8b81328 none _netdev
>>
>> My current plan had been to use a udev rule to attach the disk to the VM:
>>
>> ACTION=="change", SUBSYSTEM=="block", ENV{ID_FS_LABEL}=="WEEKLY",
>> RUN+="/usr/bin/virsh attach-disk VM %E{DEVNAME} sdc --live"
>>
>> But perhaps if I have a unit that was dependent on the cryptsetup service much
>> like a mount unit may have(?) that could get cryptsetup to fire as well.
>>
>> This is with systemd-252-18.el9.x86_64
>>
>> I tried having a udev rule that started the specific
>> systemd-cryptsetup at luks-UUID service, but that failed:
>>
> 
> You did not show this rule, so it is hard to guess why it fails.

Sorry, here goes:

ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", 
ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS", 
RUN+="cryptsetup-trigger"

# cat /usr/lib/udev/cryptsetup-trigger
#!/bin/bash
/usr/bin/systemctl restart 
'systemd-cryptsetup at luks\x2d'${ID_FS_UUID//-/\\x2d}.service

It failed with:

Mar 26 11:49:43 systemd[1]: Unnecessary job was removed for Expansion 
Linux\x20filesystem.
Mar 26 11:49:43 systemd[1]: 
systemd-cryptsetup at luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.service: 
Bound to unit dev-disk-by\x2duuid-16f5b686\x2d
8669\x2d407b\x2d920d\x2d427fa8b81328.device, but unit isn't active.
Mar 26 11:49:43 systemd[1]: Dependency failed for Cryptography Setup for 
luks-16f5b686-8669-407b-920d-427fa8b81328.
Mar 26 11:49:43 systemd[1]: 
systemd-cryptsetup at luks\x2d16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.service: 
Job systemd-cryptsetup at luks\x2d16f5b686\x2d866
9\x2d407b\x2d920d\x2d427fa8b81328.service/start failed with result 
'dependency'.
Mar 26 11:49:43 systemd[1]: Reached target Block Device Preparation for 
/dev/mapper/luks-16f5b686-8669-407b-920d-427fa8b81328.
Mar 26 11:49:43 systemd[1]: Stopped target Block Device Preparation for 
/dev/mapper/luks-16f5b686-8669-407b-920d-427fa8b81328.

Looking at the systemd debug messages for sde1 being attached:

Mar 26 14:27:24 systemd[1]: dev-sde1.device: Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484751 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484752 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a
Mar 26 14:27:24 systemd[1]: 
dev-disk-by\x2duuid-16f5b686\x2d8669\x2d407b\x2d920d\x2d427fa8b81328.device: 
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: 
dev-disk-by\x2dpartuuid-a53e8ff9\x2dcc81\x2d468d\x2dbbee\x2db029df8678d8.device: 
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: 
dev-disk-by\x2did-usb\x2dSeagate_Expansion_NA8JP0EX\x2d0:0\x2dpart1.device: 
Changed dead -> plugged
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484753 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2duuid_2d16f5b686_5cx2d8669_5cx2d407b_5cx2d920d_5cx2d427fa8b81328_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484754 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484764 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a
Mar 26 14:27:24 systemd[1]: Sent message type=signal sender=n/a 
destination=n/a 
path=/org/freedesktop/systemd1/unit/dev_2ddisk_2dby_5cx2dpartlabel_2dLinux_5cx5cx20filesystem_2edevice 
interface=org.freedesktop.DBus.Properties member=PropertiesChanged 
cookie=484765 reply_cookie=0 signature=sa{sv}as error-name=n/a 
error-message=n/a

Can I setup a unit that gets started automatically when a particular 
dev-disk-by-uuid device becomes present?

Thanks.

-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3826 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240327/5005119a/attachment.bin>