mount encrypted disk with systemd

I would like to share some snippets to have an encrypted HDD mounted when both the cryptdisk and the keyfile stored on a second keydisk are provided. If the keydisk is removed, the cryptdisk will be unmounted and locked automatically.

Prerequisites

Before starting, try cryptsetup benchmark, if it makes sense for you to encrypt. It will increase CPU load and probably lower the data rates.

Hands on

To start, we have to identify the drives by attributes that are probed by udev (when the drive is plugged in). We use udevadm to show the attributes and chose one or two which uniquely identify the drive (ATTR{size} or ATTRS{serial} are usually a good measure) to add them to a udev rule file:

~$ sudo udevadm info --attribute-walk --name=/dev/sda1 | grep size

Add those lines to a new *.rules file in /etc/udev/rules.d/ which create a symbolic link for each disk with which we can work more easily. They also trigger the systemd units .

# mount cryptdisk
ACTION=="add", KERNEL=="sd[a-z][0-9]", ATTR{size}=="123456789", SYMLINK+="cryptdisk_crypted", TAG+="systemd", ENV{SYSTEMD_WANTS}+="media-cryptdisk.mount"
# mount cryptkey
ACTION=="add", KERNEL=="sd[a-z][0-9]", ATTR{start}=="3456789", SYMLINK+="cryptkey", TAG+="systemd", ENV{SYSTEMD_WANTS}+="media-cryptdisk.mount"

You can now reload the rules

~$ sudo udevadm control --reload-rules

and test whether the links /dev/cryptkey and /dev/cryptdisk_crypted are created on plugin. To be able to work effectively with systemd you need to keep in mind that the systemd units define a network (without “loops”) of dependencies. In the end we want to mount our cryptdisk (service requested by udev on plugging in the device). To be able to do that we have to unlock the disk with our keyfile. To be able to do that we have to mount the cryptkey drive to a secure location. This automatically leaves us with the task to create three unit files for systemd that set requirements from core (mounting) to shell (device plugged in). Systemd unit files feature numerous parameters that can be found in detail here.

Mount cryptkey drive via  /etc/systemd/system/root-cryptkey.mount.

[Unit]
Description=Mount Cryptkey
DefaultDependencies=no
Conflicts=umount.target
Before=umount.target
StopWhenUnneeded=true

[Mount]
What=/dev/cryptkey
# "Where" must match the filename
Where=/root/cryptkey
Options=ro
DirectoryMode=0400

Unlock the cryptdisk with the keyfile via /etc/systemd/system/cryptdisk-unlock.service.

[Unit]
Description=cryptdisk unlock
BindsTo=media-cryptdisk.mount dev-cryptdisk_crypted.device dev-cryptkey.device
Requires=root-cryptkey.mount dev-cryptdisk_crypted.device
After=root-cryptkey.mount dev-cryptdisk_crypted.device

[Service]
Type=oneshot
TimeoutStartSec=0
RemainAfterExit=yes
KillMode=none
ExecStart=/sbin/cryptsetup luksOpen -d /root/cryptkey/cryptdisk.key /dev/cryptdisk_crypted intenso
ExecStop=/sbin/cryptsetup luksClose cryptdisk

[Install]
RequiredBy=media-cryptdisk.mount

Finally: mount the cryptdisk via /etc/systemd/system/media-cryptdisk.mount.

[Unit]
Conflicts=umount.target
Before=umount.target
BindsTo=cryptdisk-unlock.service dev-cryptdisk_crypted.device root-cryptkey.mount dev-cryptkey.device
After=cryptdisk-unlock.service dev-mapper-cryptdisk.device
# you may specify some unit file that depends on media-cryptdisk.mount
# Wants=cryptdisk-postmount.service

[Mount]
What=/dev/mapper/cryptdisk
Where=/media/cryptdisk
Type=ext4
Options=defaults,rw,noexec,x-systemd.automount,relatime

There you go. Reload systemd with

~$ sudo systemctl daemon-reload

and display the logs for testing with

~$ sudo journalctl -f

Your crypted drive should now being mounted at /media/cryptdisk, when you plug both the disk and the keydisk at the same time.

Advertisements
About

Peter Pan. Kann fliegen mit Feenstaub.

Tagged with: ,
Posted in Linux, Raspberry Pi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Posts by topic…
…by month
Have a look at…


%d bloggers like this: