From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rm2OehC82ihh for ; Mon, 26 Aug 2013 10:23:22 +0200 (CEST) Received: from awesome.dsw2k3.info (unknown [IPv6:2a01:198:661:1f::3]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Mon, 26 Aug 2013 10:23:22 +0200 (CEST) Date: Mon, 26 Aug 2013 10:23:10 +0200 From: Matthias Schniedermeyer Message-ID: <20130826082310.GA10172@citd.de> References: <1377358818.1313.21.camel@ryx.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1377358818.1313.21.camel@ryx.lan> Subject: Re: [dm-crypt] u?mount (8) helper script for luks encrypted disks List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Steffen Vogel Cc: dm-crypt@saout.de, Debian Cryptsetup Team On 24.08.2013 17:40, Steffen Vogel wrote: > Dear list, > > Today I worked on a simple way to mount/umount luks encrypted disks: > > I know, there a several ways to do this: cryptmount, cryptsetup, initd > scripts etc.. > > But I was looking for a way to use the standard mount (8) utility for > this. I came up with mount "helper" scripts as used sometimes with > ntfs-3g, fuse or nfs filesystems. These helper scripts are located > in /sbin/mount.FSTYPE and executed in precendence if they exist. > I introduced a "virtual" FSTYPE named "luks" to identify my luks > encrypted drives. > > My version a simple Bash script which is based on cryptsetup: > > https://github.com/stv0g/snippets/blob/master/bash/mount.luks.sh > (Please note the comments in the script for further tech details.) > > Now I'm able to mount my drives with a simple call to mount (8): > > mount -t luks /dev/sda1 /home > > Or use a line in my /etc/fstab for this: > > /dev/sda/ /home luks defaults,compress 0 0 > > Followed by a std "mount /home" > > At the moment my script has some minor drawbacks which could be > fixed for the future: > > 1. Mount has to automatically determine the real filesystem type. > If it fails with this, my script wont work. Hmmm. I don't know if it works for everything, but i know it works for fuse mount -t fuse.sshfs ... Which calls /sbin/mount.fuse and it gets the information that it should mount a sshfs. If it's a generic solution this should work: mount -t luks.xfs ... Which you maybe have to parse before you pass it to the second mount-process you have to be calling. > 2. Currently, passphrases can only supplied via STDIN. > > > > I'm curious about your feedback. And perhaps we could add this to the > cryptsetup tarball as it's a helper script based on cryptsetup. > > Or do you think thats its up to the distro maintainers to include such a > enhancement? Personally i "solved" this by renaming /bin/mount to /bin/mount.orig and putting a shell-script as /bin/mount that checks if i want to mount a /dev/mapper/XXX and does the setup of XXX before it calls /bin/mount.orig. "Back then" when i implemented that about 1.5 years ago i tried to explain to Karel Zak (util-linux maintainer) that a generic "premount" and "postumount" command in (u)mount could solve this generic problem. The Problem that all cryptographic-setups need (at least) one more step to setup(/tear-down) a device. But that didn't happen and i didn't try to open the issue again. -- Matthias