[dm-crypt] u?mount (8) helper script for luks encrypted disks
ms at citd.de
Mon Aug 26 10:23:10 CEST 2013
On 24.08.2013 17:40, Steffen Vogel wrote:
> Dear list,
> Today I worked on a simple way to mount/umount luks encrypted disks:
> I know, there a several ways to do this: cryptmount, cryptsetup, initd
> scripts etc..
> But I was looking for a way to use the standard mount (8) utility for
> this. I came up with mount "helper" scripts as used sometimes with
> ntfs-3g, fuse or nfs filesystems. These helper scripts are located
> in /sbin/mount.FSTYPE and executed in precendence if they exist.
> I introduced a "virtual" FSTYPE named "luks" to identify my luks
> encrypted drives.
> My version a simple Bash script which is based on cryptsetup:
> (Please note the comments in the script for further tech details.)
> Now I'm able to mount my drives with a simple call to mount (8):
> mount -t luks /dev/sda1 /home
> Or use a line in my /etc/fstab for this:
> /dev/sda/ /home luks defaults,compress 0 0
> Followed by a std "mount /home"
> At the moment my script has some minor drawbacks which could be
> fixed for the future:
> 1. Mount has to automatically determine the real filesystem type.
> If it fails with this, my script wont work.
Hmmm. I don't know if it works for everything, but i know it works for
mount -t fuse.sshfs ...
Which calls /sbin/mount.fuse and it gets the information that it should
mount a sshfs.
If it's a generic solution this should work:
mount -t luks.xfs ...
Which you maybe have to parse before you pass it to the second
mount-process you have to be calling.
> 2. Currently, passphrases can only supplied via STDIN.
> I'm curious about your feedback. And perhaps we could add this to the
> cryptsetup tarball as it's a helper script based on cryptsetup.
> Or do you think thats its up to the distro maintainers to include such a
Personally i "solved" this by renaming /bin/mount to /bin/mount.orig
and putting a shell-script as /bin/mount that checks if i want to mount
a /dev/mapper/XXX and does the setup of XXX before it calls
"Back then" when i implemented that about 1.5 years ago i tried to
explain to Karel Zak (util-linux maintainer) that a generic "premount"
and "postumount" command in (u)mount could solve this generic problem.
The Problem that all cryptographic-setups need (at least) one more step
to setup(/tear-down) a device. But that didn't happen and i didn't try
to open the issue again.
More information about the dm-crypt