Decrypting and mounting a partition while qube starts
mike
For one of my qubes I need a specific partition to be mounted during its start.
I want it automatically attached to the qube and decrypted and mounted during its boot.
The first task (attaching) is quite easy, although I am not sure how to do "cryptsetup open" it during boot.
Also, what would be easier solution: to decrypt the partition in dom0 and attach the decrypted partition to the qube, or to attach encrypted partition and decrypt in the qube?
Any idea how I can handle it in the most seamless way?
Thanks!
Mike
unman
this in dom0 as part of startup process - if you are content with dom0
encryption you can store the password, rather than enter it each time.
mike
> I would decrypt in dom0 and attach decrypted to qubes. You can script
> this in dom0 as part of startup process - if you are content with dom0
> encryption you can store the password, rather than enter it each time.
Cool -- I like the idea!
What approach would you recommend for these:
a) if the partition was to be decrypted during dom0 boot -- where to script it?
b) if the partition was to be decrypted right before a qube's start -- is there a pre-domain-boot script kind of thing?
c) if the password was to be typed -- any idea how to pop up some password input dialog box?
Many thanks unman!
Mike
tinseal374
Keyfile: /root/my-drive-decrypt/keyfile
Script: /root/my-drive-decrypt/my-drive-decrypt.sh
#! /bin/bash
case "$1" in
start)
cryptsetup --cipher=XXX --offset=XXX --key-file=/root/my-drive-decrypt/keyfile --key-size=XXX open --type=plain /dev/disk/by-id/XXX my-drive
kpartx -a /dev/mapper/my-drive
vgchange -ay my-drive
qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
qvm-block a --persistent -o frontend-dev=xvdi my-drive1-vm $(qvm-block l | grep my-drive1 | cut -f1 -d ' ')
qvm-block a --persistent -o frontend-dev=xvdi my-drive2-vm $(qvm-block l | grep my-drive2 | cut -f1 -d ' ')
;;
stop)
qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
vgchange -an my-drive
sleep 1
kpartx -d /dev/mapper/my-drive
cryptsetup close my-drive
;;
status)
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 2
esac
exit 0
Service: /etc/systemd/system/my-drive-decrypt.service
[Unit]
Description="Decrypt my-drive"
Requires=qubes_core.service
After=qubes_core.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/root/my-drive-decrypt/my-drive-decrypt.sh start
ExecStop=/root/my-drive-decrypt/my-drive-decrypt.sh stop
[Install]
WantedBy=multi-user.target
Enable service:
systemctl enable my-drive-decrypt.service
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
unman
you use for the main, and reference it in /etc/crypttab (and /etc/fstab)
b) if the partition was to be decrypted right before a qube's start -- is there a pre-domain-boot script kind of thing?
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html
This allows you to hook into various events - load/pre-start/start
For a simpler approach, a script which called:
cryptsetup luksOpen
/usr/bin/qvm-start <qube>
would do
You could create this and alias it as qvm-start to handle start of
different qubes in different ways.
c) if the password was to be typed -- any idea how to pop up some password input dialog box?
password=$(zenity --password)
unman