[dm-crypt] cryptsetup luksClose

Milan Broz mbroz at redhat.com
Wed Jan 18 09:10:06 CET 2012


On 01/17/2012 10:31 PM, Marc Schwarzschild wrote:
>
> Thank you.  I gather from this that I can safely halt or reboot
> while a disk is mounted, right?

 From the LUKS metadata point of view yes (there will be still
encryption key in memory but that's different problem).

 From the filesystem POV above LUKS - it depends. If it is remounted
read-only, there should be no data loss on [un]expected reboot.
(If you reboot while some write IOs are in-flight, of course you get
some corruption.)

Anyway, distro initscripts should handle this during controlled
shutdown for all mounted devices.

Milan

>
> --- January 17, 2012 Milan Broz sent: ---
>
>    On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
>    >  I am setting up an external USB encrypted drive. I can mount it
>    >  manually after I boot the computer. I understand that I must
>    >  issue the 'cryptsetup luksClose' after I umount the disk. How do
>    >  I arrange for this as part of the Debian halt process so it
>    >  happens automatically when the server is shutdown?
>
>    It is not cryptsetup job, it should be part of initscripts/systemd
>    to correctly unmap active devices on shutdown.
>    (Usually it tries to unmap all crypto disks except device
>    with root fs which is just remounted read-only. Recent systemd is able
>    to unmouteven root device properly.)
>
>    For hot-plugged disks it is usually handled by some GUI service,
>    usually based on udisks.
>
>    >  What happens
>    >  if there is a power failure and 'cryptsetup luksClose' was not
>    >  executed?
>
>    For LUKS, no need to worry after power failure - luksClose
>    just remove kernel mapping (kernel state) it doesn't touch
>    on-disk metadata at all.
>    (Of course there can be some filesystem damage after power failure,
>    but that's not LUKS related, it can happen even for unencrypted fs.)
>
>    Milan
>


More information about the dm-crypt mailing list