[dm-crypt] Auto Mounting when file accessed?
arno at wagner.name
Thu Jan 13 19:25:11 CET 2011
Ah, nice! So autofs can execute something on mount. Good
On Thu, Jan 13, 2011 at 01:00:38AM -0900, Roger wrote:
> On Thu, Jan 13, 2011 at 12:39:43AM -0900, Roger wrote:
> >On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote:
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>I didn't follow this thread , but if you just want an simple device
> >>auto-mounter and un-mounter , you should try out kernel auto mounter
> >>rather than a simple script.
> >I got an email also about using the kernel automounter. Just haven't had the
> >time to test and follow-up on this.
> Found something at the following link. The only issue I now have is
> working around not using a keyfile and trying to integrate into using something
> like pinentry on CLI on demand.
> Thanks for the help!
> (Posted by ste (81.174.xx.xx) on Tue 19 Jun 2007 at 18:09)
> In order to avoid opening the hotplug box, I just hacked up this autofs script. It meets my needs so someone else may find it of use too. It will automount an encrypted block device at /dev/sdb using whatever name you choose. The key files with a corresponding name in /etc is used to decrypt the device.
> I have a set of removable hard drives that are used for backup (RDX QuikStor). With the following configuration I can insert a cartridge and the backup software (Bacula) can just mount it, making the encryption transparent to it.
> The mapping for the 'cd' key also appears in this script. That's there because I'm mounting this at /media and hijacking the original, static /etc/auto.media. In /etc/auto.master:
> /media /etc/auto.media
> In /etc/auto.media:
> # This is the path beneath this map's root that autofs is looking for
> # A static mapping for the key 'cd'
> # This is what /etc/auto.media used to do statically
> if [ "$key" == "cd" ]; then
> echo -fstype=iso9660,ro,nosuid,nodev / :/dev/cdrom
> exit 0
> # The cryptsetup tool from the package of the same name
> # This is the raw device that we will mount
> # This is the encryption key file
> # Options to pass to the cryptsetup tool
> luks_opts="--key-file $key_file"
> # Mount options for the encrypted fileystem
> # The mapped block device
> # Give up if there is no key or setup tool
> [ -r $key_file ] || exit 0
> [ -x $CRYPTSETUP ] || exit 0
> # If there is an encrypted device mapped in already, it must be from a
> # previous mount. It may be out-of-date so remove it now.
> [ -b $crypt_device ] && $CRYPTSETUP remove $key
> # Give up if the raw device doesn't have a LUKS header
> $CRYPTSETUP isLuks $mount_device || exit 0
> # Open the encrypted block device
> $CRYPTSETUP luksOpen $mount_device $key $luks_opts >& /dev/null || exit 1
> # If we ended up with a block device, echo a mount line for autofs to use
> if [ -b $crypt_device ]; then
> echo $mount_opts / $crypt_device
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt