I''ve created a module to manage mounting LUKS encrypted devices at
https://github.com/jaredcurtis/puppet-encmount
It''s a wrapper around the existing mount type and accepts the
additional input needed to unlock the LUKS device (key and mapper
name). It''s untested outside of CentOS and does use some hard-coded
paths so it may not be 100% portable. But if anyone finds an issue it
should be simple to patch it up.
The module does depend on another module I created, cryptsetup, which
is also on my github page. This module is nothing more than a simple
cryptsetup installer.
Puppet-encmount does a not so good thing in that it does copy the key
to /dev/shm/<mapper> so that it can be used by the cryptsetup program.
Once the mapper device is created though the key is deleted and will
not be recreated unless the mapper is removed. I understand that this
is not 100% secure but I do set file permissions securely and clear
the file as soon as it''s done being used.
If anyone has any suggestions or finds any errors let me know and I''ll
patch it up.
Example:
encmount::mount { ''/mnt/test'':
fstype => ''ext3'',
device => ''/dev/sdb1'',
mapper => ''enc_sdb1'',
key => ''1234!@#$'',
}
This will unlock the sdb1 partition using the key 1234!@#$, create a
device called enc_sdb1 in /dev/mapper, and finally mount the mapper
at /mnt/test.
I''m considering expanding this to become more of a general LUKS
management class but as of right now this fits my need.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
David Hazar
2013-Dec-11 18:44 UTC
[Puppet Users] Re: Module to mount LUKS encrypted drives
Jared, You mention a cryptsetup module that is required. I did not see that module on you github account. Can you point me in the right direction? Thanks, David On Monday, January 23, 2012 7:44:17 PM UTC-7, Jared Curtis wrote:> > I''ve created a module to manage mounting LUKS encrypted devices at > https://github.com/jaredcurtis/puppet-encmount > > It''s a wrapper around the existing mount type and accepts the > additional input needed to unlock the LUKS device (key and mapper > name). It''s untested outside of CentOS and does use some hard-coded > paths so it may not be 100% portable. But if anyone finds an issue it > should be simple to patch it up. > > The module does depend on another module I created, cryptsetup, which > is also on my github page. This module is nothing more than a simple > cryptsetup installer. > > Puppet-encmount does a not so good thing in that it does copy the key > to /dev/shm/<mapper> so that it can be used by the cryptsetup program. > Once the mapper device is created though the key is deleted and will > not be recreated unless the mapper is removed. I understand that this > is not 100% secure but I do set file permissions securely and clear > the file as soon as it''s done being used. > > If anyone has any suggestions or finds any errors let me know and I''ll > patch it up. > > Example: > > encmount::mount { ''/mnt/test'': > fstype => ''ext3'', > device => ''/dev/sdb1'', > mapper => ''enc_sdb1'', > key => ''1234!@#$'', > } > > This will unlock the sdb1 partition using the key 1234!@#$, create a > device called enc_sdb1 in /dev/mapper, and finally mount the mapper > at /mnt/test. > > I''m considering expanding this to become more of a general LUKS > management class but as of right now this fits my need.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/35b5b3fc-11d0-469d-b10d-2d0f77448d4a%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Jared Curtis
2013-Dec-11 21:54 UTC
[Puppet Users] Re: Module to mount LUKS encrypted drives
The encmount module was a first draft and I''ve since refactored it to become the cryptvol module. http://forge.puppetlabs.com/jcurtis/cryptvol While I don''t make use of it currently at my previous job it worked well for our needs. On Wednesday, December 11, 2013 10:44:56 AM UTC-8, David Hazar wrote:> > Jared, > > You mention a cryptsetup module that is required. I did not see that > module on you github account. Can you point me in the right direction? > > Thanks, > David > > On Monday, January 23, 2012 7:44:17 PM UTC-7, Jared Curtis wrote: >> >> I''ve created a module to manage mounting LUKS encrypted devices at >> https://github.com/jaredcurtis/puppet-encmount >> >> It''s a wrapper around the existing mount type and accepts the >> additional input needed to unlock the LUKS device (key and mapper >> name). It''s untested outside of CentOS and does use some hard-coded >> paths so it may not be 100% portable. But if anyone finds an issue it >> should be simple to patch it up. >> >> The module does depend on another module I created, cryptsetup, which >> is also on my github page. This module is nothing more than a simple >> cryptsetup installer. >> >> Puppet-encmount does a not so good thing in that it does copy the key >> to /dev/shm/<mapper> so that it can be used by the cryptsetup program. >> Once the mapper device is created though the key is deleted and will >> not be recreated unless the mapper is removed. I understand that this >> is not 100% secure but I do set file permissions securely and clear >> the file as soon as it''s done being used. >> >> If anyone has any suggestions or finds any errors let me know and I''ll >> patch it up. >> >> Example: >> >> encmount::mount { ''/mnt/test'': >> fstype => ''ext3'', >> device => ''/dev/sdb1'', >> mapper => ''enc_sdb1'', >> key => ''1234!@#$'', >> } >> >> This will unlock the sdb1 partition using the key 1234!@#$, create a >> device called enc_sdb1 in /dev/mapper, and finally mount the mapper >> at /mnt/test. >> >> I''m considering expanding this to become more of a general LUKS >> management class but as of right now this fits my need. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/096fd7e2-09f4-450f-a80e-88f634d42563%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.