https://github.com/HXR/pass-mount 0.1.1 now supports mounting with `cryptsetup` via `sudo`
On 3/7/20 7:03 PM, William Morris wrote: > > > On 3/7/20 1:32 PM, Johannes Larsen wrote: >> 2020-03-07 12:33:08 -0500, William Morris <[email protected]> wrote: >>> `cryptsetup` support for systems without udisks is planned, however >>> feedback is needed on the naming of the device-mapper entry and the >>> mount point. >> >> UUID is not a bad idea. I am using the entry name for those, but that is >> because the device is a parameter to my scripts. It adds some >> restriction on the entry names (e.g. no subdirectories), but I am fine >> with that. I am using, and would think (see `man 7 hier`), /media is >> more appropriate place to mount such devices. > > Some options: > /media/$UUID > /media/crypt/$DISK_LABEL > /media/luks/$DISK_LABEL > /media/encrypted/$DISK_LABEL > >>> Should sudo be called inside the script to mount system disks? >> >> In general I would advice against using sudo in such scripts, but my >> experience with gpg is that running the pass command itself with sudo >> does not work properly. Both for security reasons and to avoid these >> problem I have a separate password-store for the root user that I am >> using to decrypt my devices. However, even this is not trivial use, >> because gpg does not work well with logins via `su -i` or `sudo -i`, so >> I have to login/ssh to the root account directly to use pass. > > Perhaps having an optional `exec: sudo` configuration item > > printf '%s' $mount_password | $mount_exec \ > /sbin/cryptsetup open --type=luks \ > /dev/disk/by-uuid/222254e3-c547-4b4e-823a-5181698e0a39 \ > luks-222254e3-c547-4b4e-823a-5181698e0a39 > > An alternative to messing about with sudo might be to just get pass > working as a keyscript in `/etc/crypttab`. > >>> The issue with the newline on the end of the keyfile is that udisksctl >>> needs it without a newline, otherwise it ends up with a newline in your >>> password. >> >> Yeah, I am simply using a passwords with the newline. I use this for >> key files, so I am never entering these 4K files manually anyway. > > It wouldn't be much to have an option to preserve the newline, but since > the mountpoint config is being stored as a multiline pass entry there > can't be anything following the new line or the config becomes part of > the password. >
