I've created a module to manage mounting LUKS encrypted devices at
https://github.com/jaredcurtis/puppet-encmount
It's a wrapper around the existing mount type and accepts the
additional input needed to unlock the LUKS device (key and mapper
name). It's untested outside of CentOS and does use some hard-coded
paths so it may not be 100% portable. But if anyone finds an issue it
should be simple to patch it up.
The module does depend on another module I created, cryptsetup, which
is also on my github page. This module is nothing more than a simple
cryptsetup installer.
Puppet-encmount does a not so good thing in that it does copy the key
to /dev/shm/<mapper> so that it can be used by the cryptsetup program.
Once the mapper device is created though the key is deleted and will
not be recreated unless the mapper is removed. I understand that this
is not 100% secure but I do set file permissions securely and clear
the file as soon as it's done being used.
If anyone has any suggestions or finds any errors let me know and I'll
patch it up.
Example:
encmount::mount { '/mnt/test':
fstype => 'ext3',
device => '/dev/sdb1',
mapper => 'enc_sdb1',
key => '1234!@#$',
}
This will unlock the sdb1 partition using the key 1234!@#$, create a
device called enc_sdb1 in /dev/mapper, and finally mount the mapper
at /mnt/test.
I'm considering expanding this to become more of a general LUKS
management class but as of right now this fits my need.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
