* [dm-crypt] Auto Mounting when file accessed? @ 2011-01-12 5:34 Roger 2011-01-12 21:05 ` Ma Begaj 2011-01-12 23:13 ` Arno Wagner 0 siblings, 2 replies; 10+ messages in thread From: Roger @ 2011-01-12 5:34 UTC (permalink / raw) To: dm-crypt Is there a known method, when a user accesses a file/folder of an unmounted dm-crypt partition, the action can spawn an attempt to automatically mount this partition. For the password prompt, as I constantly am working within a terminal and not GUI desktop for obvious reasons, pinentry is commonly used for prompting in a terminal or by GUI for a password when using GNUPG. app-crypt/pinentry http://gnupg.org/aegypten2/index.html Any thoughts on this? (Kernel DBUS/UDEV script or something?) The type of current setup targeted is a file containing an encrypted EXT3 filesystem using dm-crypt, for which is mounted to /mnt/crypt. This is usually left in an unmounted state until wanting access to something within /mnt/crypt/somefile/orfolder. ie. "vi /mnt/crypt/myfile or abook /mnt/crypt/addressbook --datafile /home/roger/.abook/addressbook" I'm thinking, something within the dbus/udev (kernel script) is needed. Another thought, what if TAB Bash Completion is used? -- Roger http://rogerx.freeshell.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-12 5:34 [dm-crypt] Auto Mounting when file accessed? Roger @ 2011-01-12 21:05 ` Ma Begaj 2011-01-13 0:57 ` Roger 2011-01-13 1:14 ` Roger 2011-01-12 23:13 ` Arno Wagner 1 sibling, 2 replies; 10+ messages in thread From: Ma Begaj @ 2011-01-12 21:05 UTC (permalink / raw) To: Roger; +Cc: dm-crypt 2011/1/12 Roger <rogerx.oss@gmail.com>: > Is there a known method, when a user accesses a file/folder of an > unmounted dm-crypt partition, the action can spawn an attempt to automatically > mount this partition. > > For the password prompt, as I constantly am working within a terminal and not > GUI desktop for obvious reasons, pinentry is commonly used for prompting in a > terminal or by GUI for a password when using GNUPG. > > app-crypt/pinentry > http://gnupg.org/aegypten2/index.html > > Any thoughts on this? (Kernel DBUS/UDEV script or something?) > > > The type of current setup targeted is a file containing an encrypted EXT3 > filesystem using dm-crypt, for which is mounted to /mnt/crypt. > > This is usually left in an unmounted state until wanting access to something > within /mnt/crypt/somefile/orfolder. > > ie. "vi /mnt/crypt/myfile or abook /mnt/crypt/addressbook --datafile > /home/roger/.abook/addressbook" > > > I'm thinking, something within the dbus/udev (kernel script) is needed. > Another thought, what if TAB Bash Completion is used? inotify-tools could probably help you... something like this could work, i think; ------------------------------------ #!/bin/sh # watch for folders inotifywait -m -r --format "%e %w%f" /mnt/crypt | while read event file; do # and mount if not mounted if ! df | grep /mnt/crypt >/dev/null ; then mount /mnt/crypt fi done ------------------------------------ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-12 21:05 ` Ma Begaj @ 2011-01-13 0:57 ` Roger 2011-01-13 1:14 ` Roger 1 sibling, 0 replies; 10+ messages in thread From: Roger @ 2011-01-13 0:57 UTC (permalink / raw) To: Ma Begaj; +Cc: dm-crypt >On Wed, Jan 12, 2011 at 10:05:00PM +0100, Ma Begaj wrote: >inotify-tools could probably help you... something like this could >work, i think; > >------------------------------------ >#!/bin/sh > ># watch for folders >inotifywait -m -r --format "%e %w%f" /mnt/crypt | while read event file; do > > # and mount if not mounted > if ! df | grep /mnt/crypt >/dev/null ; then > mount /mnt/crypt > fi >done >------------------------------------ I tried this and, instead of using "mount /mnt/crypt", I designated a script to run instead of using "mount /mnt/crypt". I kept getting a superblock/e2fsck error. My script "mount-crypt" is nearly error proof as it utilizes losetup, cryptsetup, and then calls e2fsck each time before mounting to /mnt/crypt. mount-crypt always calls umount-crypt encase losetup is halfway started, and then always calls e2fsck before mounting to /mnt/crypt. The other issues are: 1) Using inotify requires to be in a script and needing to be started at startup. 2) It needs to embed password or app-crypt/pinentry 3) pinentry or asking for a passphrase is likely going to only occur on the terminal inotify script is started from, vs for the terminal wanting access to file or folder. Think #3 is going to be the real issue because it's calling mount-crypt from another terminal or it's own bash process. I know the pinentry gui prompt is likely not an issue though. ...anyways, I likely need to research everything here again and do some more testing. Technically, everything I'm doing in mount-crypt should likely be done behind the scenes. -- Roger http://rogerx.freeshell.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-12 21:05 ` Ma Begaj 2011-01-13 0:57 ` Roger @ 2011-01-13 1:14 ` Roger 2011-01-13 8:22 ` Aaron Lewis 1 sibling, 1 reply; 10+ messages in thread From: Roger @ 2011-01-13 1:14 UTC (permalink / raw) To: Ma Begaj; +Cc: dm-crypt, Roger >On Wed, Jan 12, 2011 at 10:05:00PM +0100, Ma Begaj wrote: > >inotify-tools could probably help you... something like this could >work, i think; > >------------------------------------ >#!/bin/sh > ># watch for folders >inotifywait -m -r --format "%e %w%f" /mnt/crypt | while read event file; do > > # and mount if not mounted > if ! df | grep /mnt/crypt >/dev/null ; then > mount /mnt/crypt > fi >done >------------------------------------ Oh, and one more big thing, a user can use: vi /mnt/crypt/blah.txt, and vi will still open a file even though mounting has been called for. Same goes for any other command used on /mnt/crypt before it's mounted. And I think this is where dbus/udev would step in and hold or wait command and mount before proceeding with the command on the filesystem. -- Roger http://rogerx.freeshell.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-13 1:14 ` Roger @ 2011-01-13 8:22 ` Aaron Lewis 2011-01-13 9:39 ` Roger 0 siblings, 1 reply; 10+ messages in thread From: Aaron Lewis @ 2011-01-13 8:22 UTC (permalink / raw) To: dm-crypt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I didn't follow this thread , but if you just want an simple device auto-mounter and un-mounter , you should try out kernel auto mounter rather than a simple script. On 01/13/2011 09:14 AM, Roger wrote: >> On Wed, Jan 12, 2011 at 10:05:00PM +0100, Ma Begaj wrote: >> >> inotify-tools could probably help you... something like this could >> work, i think; >> >> ------------------------------------ >> #!/bin/sh >> >> # watch for folders >> inotifywait -m -r --format "%e %w%f" /mnt/crypt | while read event file; do >> >> # and mount if not mounted >> if ! df | grep /mnt/crypt >/dev/null ; then >> mount /mnt/crypt >> fi >> done >> ------------------------------------ > > > Oh, and one more big thing, a user can use: > > vi /mnt/crypt/blah.txt, and vi will still open a file even though mounting has > been called for. Same goes for any other command used on /mnt/crypt before > it's mounted. > > And I think this is where dbus/udev would step in and hold or wait command and > mount before proceeding with the command on the filesystem. > - -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNLrY5AAoJECSSp9Df5sKeD/4P/j5I3a1/ACIV9CAl69U4QFoz z3PwQGOnNtky6lCMHeZllymcBdt7S5Mz8fTuDf6IKt9uygjO49fjphVCXDcpIVg8 lZyJ0+cmWjOADIwgXmUzEQn3llYOcUFd03lo6HQ2w9katnoPGENZR735QDmT5HVi K+IXiaEj+golmKdl1Q+RAqBfmYpIJzvLS9QO294Dus5b3dS6UoVWbzy1LQRvvj9R +Af3LthvWcxF17rwUJUuhL8D2B2UqfPYf+gSinCh700BaK3Q7ej71h6u03I0bqpk GpBXemNp1BiliEsrZXpqjBYwbMSd5Q7KSGRXB4RU8Q1k/hWbqiW1gZf4gDscE1Gq zV3oYg7vZ1fhbfXyTjJ7nD2cUwzCDOFILR1aaT40CBuaQzv5rUyajgCbYaxehXtv 3WRWg333DDJdDWClw0ztXBmTzv0uKsNTVJysgwVQK65VeUiZv/hPK59FbrZZohBI GGe9QeDQoDXs/Q6+P9LIJQuBgBeNWZfNp61QR0Yyh2mlwaRgjKriVSdZQ+M0WSus AArpQILdcZbixXhQyqmNMQt8ATqsRDq3YrIg8gG5EaGrQI4UXDddLINcBCMv9wYU /2OziNznhd4WS4TcniQG7ispALih2UX48237GnxLVY5u4586z2v4ib+gOX4pgJEl Ps2v3jp2kGQkkSOAor1+ =FOmr -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-13 8:22 ` Aaron Lewis @ 2011-01-13 9:39 ` Roger 2011-01-13 10:00 ` Roger 0 siblings, 1 reply; 10+ messages in thread From: Roger @ 2011-01-13 9:39 UTC (permalink / raw) Cc: dm-crypt On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I didn't follow this thread , but if you just want an simple device >auto-mounter and un-mounter , you should try out kernel auto mounter >rather than a simple script. I got an email also about using the kernel automounter. Just haven't had the time to test and follow-up on this. I can only think that I'm still going to get hung-up somewhere between mount & password or pinentry issue on demand. But I have used automounter with CDRoms in the past with good success. -- Roger http://rogerx.freeshell.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-13 9:39 ` Roger @ 2011-01-13 10:00 ` Roger 2011-01-13 18:25 ` Arno Wagner 2011-01-14 9:12 ` Ma Begaj 0 siblings, 2 replies; 10+ messages in thread From: Roger @ 2011-01-13 10:00 UTC (permalink / raw) To: dm-crypt On Thu, Jan 13, 2011 at 12:39:43AM -0900, Roger wrote: >On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote: >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>I didn't follow this thread , but if you just want an simple device >>auto-mounter and un-mounter , you should try out kernel auto mounter >>rather than a simple script. > >I got an email also about using the kernel automounter. Just haven't had the >time to test and follow-up on this. > Found something at the following link. The only issue I now have is working around not using a keyfile and trying to integrate into using something like pinentry on CLI on demand. Thanks for the help! http://www.debian-administration.org/articles/127 (Posted by ste (81.174.xx.xx) on Tue 19 Jun 2007 at 18:09) ---snip--- In order to avoid opening the hotplug box, I just hacked up this autofs script. It meets my needs so someone else may find it of use too. It will automount an encrypted block device at /dev/sdb using whatever name you choose. The key files with a corresponding name in /etc is used to decrypt the device. I have a set of removable hard drives that are used for backup (RDX QuikStor). With the following configuration I can insert a cartridge and the backup software (Bacula) can just mount it, making the encryption transparent to it. The mapping for the 'cd' key also appears in this script. That's there because I'm mounting this at /media and hijacking the original, static /etc/auto.media. In /etc/auto.master: /media /etc/auto.media In /etc/auto.media: #!/bin/bash # This is the path beneath this map's root that autofs is looking for key="$1" # A static mapping for the key 'cd' # This is what /etc/auto.media used to do statically if [ "$key" == "cd" ]; then echo -fstype=iso9660,ro,nosuid,nodev / :/dev/cdrom exit 0 fi # The cryptsetup tool from the package of the same name CRYPTSETUP=/sbin/cryptsetup # This is the raw device that we will mount mount_device=/dev/sdb # This is the encryption key file key_file=/etc/quikstor.key # Options to pass to the cryptsetup tool luks_opts="--key-file $key_file" # Mount options for the encrypted fileystem mount_opts="-fstype=xfs,defaults" # The mapped block device crypt_device=/dev/mapper/$key # Give up if there is no key or setup tool [ -r $key_file ] || exit 0 [ -x $CRYPTSETUP ] || exit 0 # If there is an encrypted device mapped in already, it must be from a # previous mount. It may be out-of-date so remove it now. [ -b $crypt_device ] && $CRYPTSETUP remove $key # Give up if the raw device doesn't have a LUKS header $CRYPTSETUP isLuks $mount_device || exit 0 # Open the encrypted block device $CRYPTSETUP luksOpen $mount_device $key $luks_opts >& /dev/null || exit 1 # If we ended up with a block device, echo a mount line for autofs to use if [ -b $crypt_device ]; then echo $mount_opts / $crypt_device fi ---snip--- -- Roger http://rogerx.freeshell.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-13 10:00 ` Roger @ 2011-01-13 18:25 ` Arno Wagner 2011-01-14 9:12 ` Ma Begaj 1 sibling, 0 replies; 10+ messages in thread From: Arno Wagner @ 2011-01-13 18:25 UTC (permalink / raw) To: dm-crypt Ah, nice! So autofs can execute something on mount. Good to know. Arno On Thu, Jan 13, 2011 at 01:00:38AM -0900, Roger wrote: > On Thu, Jan 13, 2011 at 12:39:43AM -0900, Roger wrote: > >On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA1 > >> > >>I didn't follow this thread , but if you just want an simple device > >>auto-mounter and un-mounter , you should try out kernel auto mounter > >>rather than a simple script. > > > >I got an email also about using the kernel automounter. Just haven't had the > >time to test and follow-up on this. > > > > Found something at the following link. The only issue I now have is > working around not using a keyfile and trying to integrate into using something > like pinentry on CLI on demand. > > Thanks for the help! > > > http://www.debian-administration.org/articles/127 > (Posted by ste (81.174.xx.xx) on Tue 19 Jun 2007 at 18:09) > > ---snip--- > In order to avoid opening the hotplug box, I just hacked up this autofs script. It meets my needs so someone else may find it of use too. It will automount an encrypted block device at /dev/sdb using whatever name you choose. The key files with a corresponding name in /etc is used to decrypt the device. > > I have a set of removable hard drives that are used for backup (RDX QuikStor). With the following configuration I can insert a cartridge and the backup software (Bacula) can just mount it, making the encryption transparent to it. > > The mapping for the 'cd' key also appears in this script. That's there because I'm mounting this at /media and hijacking the original, static /etc/auto.media. In /etc/auto.master: > > /media /etc/auto.media > > In /etc/auto.media: > > #!/bin/bash > > # This is the path beneath this map's root that autofs is looking for > key="$1" > > # A static mapping for the key 'cd' > # This is what /etc/auto.media used to do statically > if [ "$key" == "cd" ]; then > echo -fstype=iso9660,ro,nosuid,nodev / :/dev/cdrom > exit 0 > fi > > # The cryptsetup tool from the package of the same name > CRYPTSETUP=/sbin/cryptsetup > > # This is the raw device that we will mount > mount_device=/dev/sdb > > # This is the encryption key file > key_file=/etc/quikstor.key > > # Options to pass to the cryptsetup tool > luks_opts="--key-file $key_file" > > # Mount options for the encrypted fileystem > mount_opts="-fstype=xfs,defaults" > > # The mapped block device > crypt_device=/dev/mapper/$key > > # Give up if there is no key or setup tool > [ -r $key_file ] || exit 0 > [ -x $CRYPTSETUP ] || exit 0 > > # If there is an encrypted device mapped in already, it must be from a > # previous mount. It may be out-of-date so remove it now. > [ -b $crypt_device ] && $CRYPTSETUP remove $key > > # Give up if the raw device doesn't have a LUKS header > $CRYPTSETUP isLuks $mount_device || exit 0 > > # Open the encrypted block device > $CRYPTSETUP luksOpen $mount_device $key $luks_opts >& /dev/null || exit 1 > > # If we ended up with a block device, echo a mount line for autofs to use > if [ -b $crypt_device ]; then > echo $mount_opts / $crypt_device > fi > ---snip--- > > > -- > Roger > http://rogerx.freeshell.org/ > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-13 10:00 ` Roger 2011-01-13 18:25 ` Arno Wagner @ 2011-01-14 9:12 ` Ma Begaj 1 sibling, 0 replies; 10+ messages in thread From: Ma Begaj @ 2011-01-14 9:12 UTC (permalink / raw) To: dm-crypt 2011/1/13 Roger <rogerx.oss@gmail.com>: > On Thu, Jan 13, 2011 at 12:39:43AM -0900, Roger wrote: >>On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote: >>>-----BEGIN PGP SIGNED MESSAGE----- >>>Hash: SHA1 >>> >>>I didn't follow this thread , but if you just want an simple device >>>auto-mounter and un-mounter , you should try out kernel auto mounter >>>rather than a simple script. >> >>I got an email also about using the kernel automounter. Just haven't had the >>time to test and follow-up on this. >> > > Found something at the following link. The only issue I now have is > working around not using a keyfile and trying to integrate into using something > like pinentry on CLI on demand. > > Thanks for the help! > > > http://www.debian-administration.org/articles/127 > (Posted by ste (81.174.xx.xx) on Tue 19 Jun 2007 at 18:09) > > ---snip--- > In order to avoid opening the hotplug box, I just hacked up this autofs script. It meets my needs so someone else may find it of use too. It will automount an encrypted block device at /dev/sdb using whatever name you choose. The key files with a corresponding name in /etc is used to decrypt the device. > > I have a set of removable hard drives that are used for backup (RDX QuikStor). With the following configuration I can insert a cartridge and the backup software (Bacula) can just mount it, making the encryption transparent to it. > > The mapping for the 'cd' key also appears in this script. That's there because I'm mounting this at /media and hijacking the original, static /etc/auto.media. In /etc/auto.master: > > /media /etc/auto.media > > In /etc/auto.media: > > #!/bin/bash > > # This is the path beneath this map's root that autofs is looking for > key="$1" > > # A static mapping for the key 'cd' > # This is what /etc/auto.media used to do statically > if [ "$key" == "cd" ]; then > echo -fstype=iso9660,ro,nosuid,nodev / :/dev/cdrom > exit 0 > fi > > # The cryptsetup tool from the package of the same name > CRYPTSETUP=/sbin/cryptsetup > > # This is the raw device that we will mount > mount_device=/dev/sdb > > # This is the encryption key file > key_file=/etc/quikstor.key > > # Options to pass to the cryptsetup tool > luks_opts="--key-file $key_file" > > # Mount options for the encrypted fileystem > mount_opts="-fstype=xfs,defaults" > > # The mapped block device > crypt_device=/dev/mapper/$key > > # Give up if there is no key or setup tool > [ -r $key_file ] || exit 0 > [ -x $CRYPTSETUP ] || exit 0 > > # If there is an encrypted device mapped in already, it must be from a > # previous mount. It may be out-of-date so remove it now. > [ -b $crypt_device ] && $CRYPTSETUP remotve $key > > # Give up if the raw device doesn't have a LUKS header > $CRYPTSETUP isLuks $mount_device || exit 0 > > # Open the encrypted block device > $CRYPTSETUP luksOpen $mount_device $key $luks_opts >& /dev/null || exit 1 > > # If we ended up with a block device, echo a mount line for autofs to use > if [ -b $crypt_device ]; then > echo $mount_opts / $crypt_device > fi > ---snip--- > great thanks. much better solution than my inotify script (which even cannot work for your problem) ;-) ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dm-crypt] Auto Mounting when file accessed? 2011-01-12 5:34 [dm-crypt] Auto Mounting when file accessed? Roger 2011-01-12 21:05 ` Ma Begaj @ 2011-01-12 23:13 ` Arno Wagner 1 sibling, 0 replies; 10+ messages in thread From: Arno Wagner @ 2011-01-12 23:13 UTC (permalink / raw) To: dm-crypt On Tue, Jan 11, 2011 at 08:34:35PM -0900, Roger wrote: [...] > Another thought, what if TAB Bash Completion is used? Bash hashes once and then does not search. This should prevent unwanted mounts and still do wanted ones. I also assume you are talking about mapping and mount, not just mounting of already mapped (i.e. decrypted) devices. The latter could be done with the standard kernel automounter. But I think it has no hooks, so something else would be neded here. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2011-01-14 9:12 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-12 5:34 [dm-crypt] Auto Mounting when file accessed? Roger 2011-01-12 21:05 ` Ma Begaj 2011-01-13 0:57 ` Roger 2011-01-13 1:14 ` Roger 2011-01-13 8:22 ` Aaron Lewis 2011-01-13 9:39 ` Roger 2011-01-13 10:00 ` Roger 2011-01-13 18:25 ` Arno Wagner 2011-01-14 9:12 ` Ma Begaj 2011-01-12 23:13 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.