[systemd-devel] How to automatically decrypt a disk on connection
Andrei Borzenkov
arvidjaar at gmail.com
Wed Mar 27 18:22:24 UTC 2024
On 27.03.2024 20:56, Orion Poplawski wrote:
> On 3/27/24 10:22, Mantas Mikulėnas wrote:
>>
>>
>> On Wed, Mar 27, 2024, 16:36 Orion Poplawski <orion at nwra.com
>> <mailto:orion at nwra.com>> wrote:
>>
>>
>>
>> Can I setup a unit that gets started automatically when a particular
>> dev-disk-by-uuid device becomes present?
>>
>>
>> Just link it under dev-disk-foo.device.wants/ (systemctl enable, or systemctl
>> add-wants).
>>
>> Alternatively, ENV{SYSTEMD_WANTS}="foo.service" from udev will have the same
>> effect.
>
> Thanks for pointing me to that. This is what I've ended up with at the moment:
>
> ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition",
> ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}=="crypto_LUKS",
> ENV{SYSTEMD_WANTS}="clevis-luks-unlock@%E{DEVNAME}.service"
>
> # cat clevis-luks-unlock at .service
> [Unit]
> Description=Clevis decrypt disk %I
> DefaultDependencies=no
>
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> ExecStart=/usr/bin/clevis luks unlock -d %I
>
>
> The only thing that's a bit funky with it is that it generates:
>
> Invalid unit name "clevis-luks-unlock@/dev/sda1.service" escaped as
> "clevis-luks-unlock at -dev-sda1.service" (maybe you should use systemd-escape?).
>
> But I'm not sure how else to handle it.
>
> If I left it as ENV{SYSTEMD_WANTS}="clevis-luks-unlock@" I would get the
> following instance:
>
> sys-devices-pci0000:00-0000:00:02.0-0000:05:00.0-0000:06:02.0-0000:08:00.0-usb9-9\x2d1-9\x2d1:1.0-host2-target2:0:0-2:0:0:0-block-sda-sda1
>
> which I can unescape with %f but not sure how to get that to the actual device
> file.
>
> Any suggestions?
>
>
Use $kernel in rule and /dev/%I in service.
More information about the systemd-devel
mailing list