Re: [dm-crypt] u?mount (8) helper script for luks encrypted disks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matthias Schniedermeyer <ms@citd.de>
To: Steffen Vogel <post@steffenvogel.de>
Cc: dm-crypt@saout.de,
	Debian Cryptsetup Team
	<pkg-cryptsetup-devel@lists.alioth.debian.org>
Subject: Re: [dm-crypt] u?mount (8) helper script for luks encrypted disks
Date: Mon, 26 Aug 2013 10:23:10 +0200	[thread overview]
Message-ID: <20130826082310.GA10172@citd.de> (raw)
In-Reply-To: <1377358818.1313.21.camel@ryx.lan>

On 24.08.2013 17:40, Steffen Vogel wrote:
> Dear list,
> 
> Today I worked on a simple way to mount/umount luks encrypted disks:
> 
> I know, there a several ways to do this: cryptmount, cryptsetup, initd
> scripts etc..
> 
> But I was looking for a way to use the standard mount (8) utility for
> this. I came up with mount "helper" scripts as used sometimes with
> ntfs-3g, fuse or nfs filesystems. These helper scripts are located
> in /sbin/mount.FSTYPE and executed in precendence if they exist.
> I introduced a "virtual" FSTYPE named "luks" to identify my luks
> encrypted drives.
> 
> My version a simple Bash script which is based on cryptsetup:
> 
> https://github.com/stv0g/snippets/blob/master/bash/mount.luks.sh
> (Please note the comments in the script for further tech details.)
> 
> Now I'm able to mount my drives with a simple call to mount (8):
> 
> 	mount -t luks /dev/sda1 /home
> 
> Or use a line in my /etc/fstab for this:
> 
> 	/dev/sda/   /home   luks   defaults,compress   0 0
> 
> Followed by a std "mount /home"
> 
> At the moment my script has some minor drawbacks which could be
> fixed for the future:
> 
> 1. Mount has to automatically determine the real filesystem type.
>    If it fails with this, my script wont work.

Hmmm. I don't know if it works for everything, but i know it works for 
fuse

mount -t fuse.sshfs ...
Which calls /sbin/mount.fuse and it gets the information that it should 
mount a sshfs.

If it's a generic solution this should work:
mount -t luks.xfs ...

Which you maybe have to parse before you pass it to the second 
mount-process you have to be calling.

> 2. Currently, passphrases can only supplied via STDIN.
> 
> 
> 
> I'm curious about your feedback. And perhaps we could add this to the
> cryptsetup tarball as it's a helper script based on cryptsetup.
> 
> Or do you think thats its up to the distro maintainers to include such a
> enhancement?

Personally i "solved" this by renaming /bin/mount to /bin/mount.orig 
and putting a shell-script as /bin/mount that checks if i want to mount 
a /dev/mapper/XXX and does the setup of XXX before it calls 
/bin/mount.orig.

"Back then" when i implemented that about 1.5 years ago i tried to 
explain to Karel Zak (util-linux maintainer) that a generic "premount" 
and "postumount" command in (u)mount could solve this generic problem. 
The Problem that all cryptographic-setups need (at least) one more step 
to setup(/tear-down) a device. But that didn't happen and i didn't try 
to open the issue again.

-- 

Matthias

next prev parent reply	other threads:[~2013-08-26  8:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-24 15:40 [dm-crypt] u?mount (8) helper script for luks encrypted disks Steffen Vogel
2013-08-26  8:23 ` Matthias Schniedermeyer [this message]
2013-08-29  5:50   ` Milan Broz
2013-08-29 23:16     ` Matthias Schniedermeyer
2013-08-29 23:56       ` .. ink ..
2013-08-30  5:29         ` Milan Broz
2013-08-30  5:58           ` .. ink ..
2013-08-30  6:23             ` Milan Broz
2013-08-30  7:59         ` Matthias Schniedermeyer
2013-08-30  8:24           ` .. ink ..
2013-08-30  8:58             ` Matthias Schniedermeyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130826082310.GA10172@citd.de \
    --to=ms@citd.de \
    --cc=dm-crypt@saout.de \
    --cc=pkg-cryptsetup-devel@lists.alioth.debian.org \
    --cc=post@steffenvogel.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.