[dm-crypt] cryptsetup luksClose

[dm-crypt] cryptsetup luksClose

[Marc Schwarzschild]

Hi,

I am setting up an external USB encrypted drive. I can mount it
manually after I boot the computer. I understand that I must
issue the 'cryptsetup luksClose' after I umount the disk. How do
I arrange for this as part of the Debian halt process so it
happens automatically when the server is shutdown? What happens
if there is a power failure and 'cryptsetup luksClose' was not
executed?

Thank you,
Marc

-- 

_________________________________________________________
Marc Schwarzschild 212-580-1175 The Brookhaven Group, LLC

Re: [dm-crypt] cryptsetup luksClose

[Milan Broz]

On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
> I am setting up an external USB encrypted drive. I can mount it
> manually after I boot the computer. I understand that I must
> issue the 'cryptsetup luksClose' after I umount the disk. How do
> I arrange for this as part of the Debian halt process so it
> happens automatically when the server is shutdown?

It is not cryptsetup job, it should be part of initscripts/systemd
to correctly unmap active devices on shutdown.
(Usually it tries to unmap all crypto disks except device
with root fs which is just remounted read-only. Recent systemd is able
to unmouteven root device properly.)

For hot-plugged disks it is usually handled by some GUI service,
usually based on udisks.

> What happens
> if there is a power failure and 'cryptsetup luksClose' was not
> executed?

For LUKS, no need to worry after power failure - luksClose
just remove kernel mapping (kernel state) it doesn't touch
on-disk metadata at all.
(Of course there can be some filesystem damage after power failure,
but that's not LUKS related, it can happen even for unencrypted fs.)

Milan

Re: [dm-crypt] cryptsetup luksClose

[Marc Schwarzschild]

Thank you.  I gather from this that I can safely halt or reboot
while a disk is mounted, right?

--- January 17, 2012 Milan Broz sent: ---

  On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
  > I am setting up an external USB encrypted drive. I can mount it
  > manually after I boot the computer. I understand that I must
  > issue the 'cryptsetup luksClose' after I umount the disk. How do
  > I arrange for this as part of the Debian halt process so it
  > happens automatically when the server is shutdown?
  
  It is not cryptsetup job, it should be part of initscripts/systemd
  to correctly unmap active devices on shutdown.
  (Usually it tries to unmap all crypto disks except device
  with root fs which is just remounted read-only. Recent systemd is able
  to unmouteven root device properly.)
  
  For hot-plugged disks it is usually handled by some GUI service,
  usually based on udisks.
  
  > What happens
  > if there is a power failure and 'cryptsetup luksClose' was not
  > executed?
  
  For LUKS, no need to worry after power failure - luksClose
  just remove kernel mapping (kernel state) it doesn't touch
  on-disk metadata at all.
  (Of course there can be some filesystem damage after power failure,
  but that's not LUKS related, it can happen even for unencrypted fs.)
  
  Milan

-- 

_________________________________________________________
Marc Schwarzschild 212-580-1175 The Brookhaven Group, LLC

Re: [dm-crypt] cryptsetup luksClose

[Milan Broz]

On 01/17/2012 10:31 PM, Marc Schwarzschild wrote:
>
> Thank you.  I gather from this that I can safely halt or reboot
> while a disk is mounted, right?

 From the LUKS metadata point of view yes (there will be still
encryption key in memory but that's different problem).

 From the filesystem POV above LUKS - it depends. If it is remounted
read-only, there should be no data loss on [un]expected reboot.
(If you reboot while some write IOs are in-flight, of course you get
some corruption.)

Anyway, distro initscripts should handle this during controlled
shutdown for all mounted devices.

Milan

>
> --- January 17, 2012 Milan Broz sent: ---
>
>    On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
>    >  I am setting up an external USB encrypted drive. I can mount it
>    >  manually after I boot the computer. I understand that I must
>    >  issue the 'cryptsetup luksClose' after I umount the disk. How do
>    >  I arrange for this as part of the Debian halt process so it
>    >  happens automatically when the server is shutdown?
>
>    It is not cryptsetup job, it should be part of initscripts/systemd
>    to correctly unmap active devices on shutdown.
>    (Usually it tries to unmap all crypto disks except device
>    with root fs which is just remounted read-only. Recent systemd is able
>    to unmouteven root device properly.)
>
>    For hot-plugged disks it is usually handled by some GUI service,
>    usually based on udisks.
>
>    >  What happens
>    >  if there is a power failure and 'cryptsetup luksClose' was not
>    >  executed?
>
>    For LUKS, no need to worry after power failure - luksClose
>    just remove kernel mapping (kernel state) it doesn't touch
>    on-disk metadata at all.
>    (Of course there can be some filesystem damage after power failure,
>    but that's not LUKS related, it can happen even for unencrypted fs.)
>
>    Milan
>

Re: [dm-crypt] cryptsetup luksClose

[Marc Schwarzschild]

Thank you.


--- January 18, 2012 Milan Broz sent: ---

  On 01/17/2012 10:31 PM, Marc Schwarzschild wrote:
  >
  > Thank you.  I gather from this that I can safely halt or reboot
  > while a disk is mounted, right?
  
   From the LUKS metadata point of view yes (there will be still
  encryption key in memory but that's different problem).
  
   From the filesystem POV above LUKS - it depends. If it is remounted
  read-only, there should be no data loss on [un]expected reboot.
  (If you reboot while some write IOs are in-flight, of course you get
  some corruption.)
  
  Anyway, distro initscripts should handle this during controlled
  shutdown for all mounted devices.
  
  Milan
  
  >
  > --- January 17, 2012 Milan Broz sent: ---
  >
  >    On 01/16/2012 03:48 PM, Marc Schwarzschild wrote:
  >    >  I am setting up an external USB encrypted drive. I can mount it
  >    >  manually after I boot the computer. I understand that I must
  >    >  issue the 'cryptsetup luksClose' after I umount the disk. How do
  >    >  I arrange for this as part of the Debian halt process so it
  >    >  happens automatically when the server is shutdown?
  >
  >    It is not cryptsetup job, it should be part of initscripts/systemd
  >    to correctly unmap active devices on shutdown.
  >    (Usually it tries to unmap all crypto disks except device
  >    with root fs which is just remounted read-only. Recent systemd is able
  >    to unmouteven root device properly.)
  >
  >    For hot-plugged disks it is usually handled by some GUI service,
  >    usually based on udisks.
  >
  >    >  What happens
  >    >  if there is a power failure and 'cryptsetup luksClose' was not
  >    >  executed?
  >
  >    For LUKS, no need to worry after power failure - luksClose
  >    just remove kernel mapping (kernel state) it doesn't touch
  >    on-disk metadata at all.
  >    (Of course there can be some filesystem damage after power failure,
  >    but that's not LUKS related, it can happen even for unencrypted fs.)
  >
  >    Milan
  >

-- 

_________________________________________________________
Marc Schwarzschild 212-580-1175 The Brookhaven Group, LLC