Re: [dm-crypt] u?mount (8) helper script for luks encrypted disks

[Matthias Schniedermeyer <ms@citd.de>]

On 24.08.2013 17:40, Steffen Vogel wrote:
> Dear list,
> 
> Today I worked on a simple way to mount/umount luks encrypted disks:
> 
> I know, there a several ways to do this: cryptmount, cryptsetup, initd
> scripts etc..
> 
> But I was looking for a way to use the standard mount (8) utility for
> this. I came up with mount "helper" scripts as used sometimes with
> ntfs-3g, fuse or nfs filesystems. These helper scripts are located
> in /sbin/mount.FSTYPE and executed in precendence if they exist.
> I introduced a "virtual" FSTYPE named "luks" to identify my luks
> encrypted drives.
> 
> My version a simple Bash script which is based on cryptsetup:
> 
> https://github.com/stv0g/snippets/blob/master/bash/mount.luks.sh
> (Please note the comments in the script for further tech details.)
> 
> Now I'm able to mount my drives with a simple call to mount (8):
> 
> 	mount -t luks /dev/sda1 /home
> 
> Or use a line in my /etc/fstab for this:
> 
> 	/dev/sda/   /home   luks   defaults,compress   0 0
> 
> Followed by a std "mount /home"
> 
> At the moment my script has some minor drawbacks which could be
> fixed for the future:
> 
> 1. Mount has to automatically determine the real filesystem type.
>    If it fails with this, my script wont work.

Hmmm. I don't know if it works for everything, but i know it works for 
fuse

mount -t fuse.sshfs ...
Which calls /sbin/mount.fuse and it gets the information that it should 
mount a sshfs.

If it's a generic solution this should work:
mount -t luks.xfs ...

Which you maybe have to parse before you pass it to the second 
mount-process you have to be calling.

> 2. Currently, passphrases can only supplied via STDIN.
> 
> 
> 
> I'm curious about your feedback. And perhaps we could add this to the
> cryptsetup tarball as it's a helper script based on cryptsetup.
> 
> Or do you think thats its up to the distro maintainers to include such a
> enhancement?

Personally i "solved" this by renaming /bin/mount to /bin/mount.orig 
and putting a shell-script as /bin/mount that checks if i want to mount 
a /dev/mapper/XXX and does the setup of XXX before it calls 
/bin/mount.orig.

"Back then" when i implemented that about 1.5 years ago i tried to 
explain to Karel Zak (util-linux maintainer) that a generic "premount" 
and "postumount" command in (u)mount could solve this generic problem. 
The Problem that all cryptographic-setups need (at least) one more step 
to setup(/tear-down) a device. But that didn't happen and i didn't try 
to open the issue again.





-- 

Matthias