9

I created an encrypted container via

#!/bin/bash
dd if=/dev/zero of=$1 bs=1 count=0 seek=$2
MAPPER=$(mktemp -up /dev/mapper)
LOOPDEV=$(losetup --find --show $1)
cryptsetup luksFormat $LOOPDEV
cryptsetup luksOpen $LOOPDEV $(basename $MAPPER)
mkfs.ext3 $MAPPER
cryptsetup luksClose $MAPPER
losetup -d $LOOPDEV

i.e. a file e.g. container specified to this script will contain a ext3 filesystem encrypted via cryptsetup luksFormat.

To mount it, I currently use another script, say dm.mount container /mnt/decrypted:

#!/bin/bash
set -e
MAPPER=$(mktemp -up /dev/mapper)
LOOPDEV=$(losetup --find --show $1)
cryptsetup luksOpen $LOOPDEV $(basename $MAPPER) || losetup -d $LOOPDEV
mount $MAPPER $2 || (
  cryptsetup luksClose $MAPPER
  losetup -d $LOOPDEV
)

and to unmount it dm.umount /mnt/decrypted:

#!/bin/bash
set -e
MAPPER=$(basename $(mount | grep $1 | gawk ' { print $1 } '))
LOOPDEV=$(cryptsetup status $MAPPER | grep device | gawk ' { print $2 } ')
umount $1
cryptsetup luksClose $MAPPER
losetup -d $LOOPDEV

There's a lot of redundancy and manually grabbing a loop device and mapper both of which could remain anonymous. Is there a way to simply do something like mount -o luks ~/container /mnt/decrypted (prompting for the passphrase) and umount /mnt/decrypted the easy way instead?

edit Basically I am happy with my scripts above (although the error checking could be improved...), so

How can a mount option -o luks=~/container be implemented similar to -o loop ~/loopfile using the scripts I wrote?

Can this be achieved without rewriting mount? Or alternatively, could -t luks -o loop ~/container be implemented?

Tobias Kienzler
  • 9,184
  • 13
  • 65
  • 106

2 Answers2

6

In fact, modifying mount is possible, as I learned from the existence of mount.ntfs-3g. I'm doing only guesswork, but I suspect mount -t sometype results in a call to mount.sometype $DEV $MOUNTPOINT $OPTIONS, feel free to correct me here or quote some actual documentation. Especially the option -o loop is already treated so there's no need for lopsetup anymore...

Symlink/create the mount script as /sbin/mount.crypto_LUKS. Remove the loopdevice part and instead just use the -o loop switch. Here's my /sbin/mount.crypto_LUKS:

#!/bin/bash
set -e
if [[ $(mount | grep ${2%%/} | wc -l) -gt 0 ]]; then
  echo "Path $2 is already mounted!" >&2
  exit 9
else
  MAPPER=$(mktemp -up /dev/mapper)
  cryptsetup luksOpen $1 $(basename $MAPPER)
  shift
  mount $MAPPER $* || cryptsetup luksClose $(basename $MAPPER)
fi

Now I just have to run mount -o loop ~/container /mnt/decrypted, and mount will prompt me for the password and then mount the container, automatically releasing the loopdevice once the container is closed. If the decrypted filesystem fails to mount, the container will be closed again, but you can modify that of course. Or implement some option parsing instead of passing everything on to mount.

I was hoping the same could be achieved via /sbin/umount.luks, but umount /mnt/decrypted (even with -t crypto_LUKS) still only does the usual unmount, leaving the container open. If you find a way to have umount call my dm.umount script instead, please let me know... At the moment, directly calling umount is discouraged since you will have to figure out the /dev/mapper name to manually cryptsetup luksClose $MAPPER. At least the loop device will be release automatically if mount -o loop was used before...

Tobias Kienzler
  • 9,184
  • 13
  • 65
  • 106
  • Concerning the `umount`, I guess I'll have to [modify the `/etc/mtab` entry of my `mount.luks`](http://stackoverflow.com/q/12952686/321973) such that the filesystem type is e.g. `luks.ext3` instead of `ext3`. – Tobias Kienzler Oct 19 '12 at 13:35
3

pam_mount, available from sourceforge, ships with a helpful mount.crypto_LUKS and umount.crypto_LUKS which overcome some of the shortcomings of the script provided by the other poster.

rahmu
  • 19,673
  • 28
  • 87
  • 128
tom drunk
  • 31
  • 1