[systemd-devel] How to automatically decrypt a disk on connection

Orion Poplawski orion at nwra.com
Wed Mar 27 17:56:45 UTC 2024 

On 3/27/24 10:22, Mantas Mikulėnas wrote:
> 
> 
> On Wed, Mar 27, 2024, 16:36 Orion Poplawski <orion at nwra.com
> <mailto:orion at nwra.com>> wrote:
> 
> 
> 
>     Can I setup a unit that gets started automatically when a particular
>     dev-disk-by-uuid device becomes present?
> 
> 
> Just link it under dev-disk-foo.device.wants/ (systemctl enable, or systemctl
> add-wants).
> 
> Alternatively, ENV{SYSTEMD_WANTS}="foo.service" from udev will have the same
> effect.

Thanks for pointing me to that.  This is what I've ended up with at the moment:

ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition",
ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS",
ENV{SYSTEMD_WANTS}="clevis-luks-unlock@%E{DEVNAME}.service"

# cat clevis-luks-unlock at .service
[Unit]
Description=Clevis decrypt disk %I
DefaultDependencies=no

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/clevis luks unlock -d %I


The only thing that's a bit funky with it is that it generates:

Invalid unit name "clevis-luks-unlock@/dev/sda1.service" escaped as
"clevis-luks-unlock at -dev-sda1.service" (maybe you should use systemd-escape?).

But I'm not sure how else to handle it.

If I left it as ENV{SYSTEMD_WANTS}="clevis-luks-unlock@" I would get the
following instance:

sys-devices-pci0000:00-0000:00:02.0-0000:05:00.0-0000:06:02.0-0000:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host2-target2:0:0-2:0:0:0-block-sda-sda1

which I can unescape with %f but not sure how to get that to the actual device
file.

Any suggestions?


-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3826 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240327/74a89d93/attachment.bin>

More information about the systemd-devel mailing list