Auto-unlocking and auto-mounting LUKS encrypted devices with halevt-mount

While disk management on the OS-level in GNU/Linux is moving away from HAL towards udisks, I have just recently learnt how to configure halevt to automatically ask for a passphrase when a LUKS encrypted device is inserted. Until halevt is removed from debian stable, I will continue to use the following:

New rule in $HOME/.halevt/halev.xml

<!-- Mount my encrypted usb-stick "viking" -->
<halevt:Device match="hal.info.udi = /org/freedesktop/Hal/devices/volume_uuid_9f31ebed_4cfa_43c8_bf79_b2ac2ced0199">
   <halevt:Insertion exec="x-terminal-emulator cryptmount viking"/>
</halevt:Device>

Conditional umounting from halevt

I have configured halevt to automatically start a file-manager on the mountpoint, and when that filemanager exits, the device automatically is unmounted. However, unlocked devices should be umounted by cryptmount -u <name of target> instead of halevt-umount <name of mountpoint>. For LUKS devices that are in a file rather than on a partition, unmounting requires two steps:

  1. cryptmount -u <target>
  2. halevt-umount <mount_point>

And to this end a small script seems to be needed (the exec of halevt does not seem to like if constructs). The script in question is smart-umount.sh refered to below:

<!-- (Generic) Removable devices support !-->

<!--
When a device get a mount point, it is passed to halevt-mount which can
record it. The property that changes is volume.is_mounted, and the action is
executed when the value of volume.is_mounted becomes true.
!-->
<halevt:Device match="hal.block.device &amp; hal.block.is_volume = true &amp;
                      hal.volume.mount_point">
   <halevt:Property name="hal.volume.is_mounted">
      <halevt:Action value="true"
                     exec="halevt-mount -s;
                           x-terminal-emulator -e mc $hal.volume.mount_point$
                             &amp;&amp;
                           smart-umount.sh $hal.volume.mount_point$;
       "/>
   </halevt:Property>
</halevt:Device>

smart-umount.sh

The contents of smart-umount.sh is:

#!/bin/bash

## this is smart-umount.sh

# if $1 is an unlocked encrypted LUKS device, umount with cryptmount -u,
# otherwise use halevt-umount.
#
# LUKS on a file needs two steps: 1. cryptmount -u 2. halevt-umount,
# which is why we use a while loop here.

BASE=`basename $1`

while mount -l | grep $BASE ; do

if mount -l | grep $BASE | grep /dev/mapper; then
    TARGET=`mount -l | grep $BASE | grep /dev/mapper | \
            cut -d "/" -f 4 | cut -d " " -f 1`
    logger "about to unmount $TARGET, using cryptmount -u"
    cryptmount -u $TARGET
else
    logger "about to unmount $1, using halevt-umount"
    halevt-umount $1
fi

done

The definition in /etc/cryptmount/cmtab

And for completeness, here is the relevant part of /etc/cryptmount/cmtab, which was created by cryptmount-setup, which is part of the package cryptmount.

## Excerpt from /etc/cryptmount/cmtab
viking {
    dev=/dev/disk/by-uuid/9f31ebed-4cfa-43c8-bf79-b2ac2ced0199
    dir=/home/hans/viking
    fstype=ext2
    fsoptions=defaults
    cipher=aes-xts-plain
    keyformat=luks
    keyfile=/dev/disk/by-uuid/9f31ebed-4cfa-43c8-bf79-b2ac2ced0199
}

comments powered by Disqus

Back to the index

Blog roll

R-bloggers, Debian Weekly
Valid XHTML 1.0 Strict [Valid RSS] Valid CSS! Emacs Muse Last modified: oktober 17, 2019