[dm-crypt] cryptsetup luksClose
mbroz at redhat.com
Wed Jan 18 09:10:06 CET 2012
On 01/17/2012 10:31 PM, Marc Schwarzschild wrote:
> Thank you. I gather from this that I can safely halt or reboot
> while a disk is mounted, right?
From the LUKS metadata point of view yes (there will be still
encryption key in memory but that's different problem).
From the filesystem POV above LUKS - it depends. If it is remounted
read-only, there should be no data loss on [un]expected reboot.
(If you reboot while some write IOs are in-flight, of course you get
Anyway, distro initscripts should handle this during controlled
shutdown for all mounted devices.
> --- January 17, 2012 Milan Broz sent: ---
> On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
> > I am setting up an external USB encrypted drive. I can mount it
> > manually after I boot the computer. I understand that I must
> > issue the 'cryptsetup luksClose' after I umount the disk. How do
> > I arrange for this as part of the Debian halt process so it
> > happens automatically when the server is shutdown?
> It is not cryptsetup job, it should be part of initscripts/systemd
> to correctly unmap active devices on shutdown.
> (Usually it tries to unmap all crypto disks except device
> with root fs which is just remounted read-only. Recent systemd is able
> to unmouteven root device properly.)
> For hot-plugged disks it is usually handled by some GUI service,
> usually based on udisks.
> > What happens
> > if there is a power failure and 'cryptsetup luksClose' was not
> > executed?
> For LUKS, no need to worry after power failure - luksClose
> just remove kernel mapping (kernel state) it doesn't touch
> on-disk metadata at all.
> (Of course there can be some filesystem damage after power failure,
> but that's not LUKS related, it can happen even for unencrypted fs.)
More information about the dm-crypt