Can cryptsetup read mappings from /etc/crypttab?

Craig Finch asked:

I have a virtualized CentOS 7 server that needs to mount multiple password-protected encrypted volumes. I cannot automatically map the devices on boot, because I don’t have access to the console during the boot process to enter the decryption password. After I reboot the system, I have to manually run

cryptsetup luksOpen <device> <name>

to map each underlying block device to an encrypted device. That requires keeping notes on the UUID of each underlying block device and the name it maps to. Is there an easy way to automate this process? I can add the information to /etc/crypttab with the noauto keyword to prevent the devices from mounting on boot. However, I can’t get cryptsetup to use the information from this file.

It would be great if there were a command like cryptsetup luksOpen <name> that would read /etc/crypttab to find the name of the underlying block device (similar to the way that you can can mount <mountpoint> if is defined in /etc/fstab).

Is there any way to get cryptsetup to read the mappings from /etc/crypttab?

My answer:

I think you want to experiment with systemd-cryptsetup-generator.

Normally this process runs during the initramfs boot, to dynamically generate systemd units that decrypt each block device listed in /etc/crypttab. You can then start those units whenever you wish, and you’ll be prompted for any necessary passphrases.

Since this is a virtual machine, you should have access to the virtual console, meaning you could simply encrypt your filesystems normally and provide the passphrase at boot. Of course, the security of the encrypted filesystems is compromised anyway, simply by being used in a virtual machine, regardless of when you enter the passphrase.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.