Extension: pass-mount 0.1.0 released
William Morris
me at williammorris.com
Sun Mar 8 01:03:02 CET 2020
On 3/7/20 1:32 PM, Johannes Larsen wrote:
> 2020-03-07 12:33:08 -0500, William Morris <me at williammorris.com> wrote:
>> `cryptsetup` support for systems without udisks is planned, however
>> feedback is needed on the naming of the device-mapper entry and the
>> mount point.
>
> UUID is not a bad idea. I am using the entry name for those, but that is
> because the device is a parameter to my scripts. It adds some
> restriction on the entry names (e.g. no subdirectories), but I am fine
> with that. I am using, and would think (see `man 7 hier`), /media is
> more appropriate place to mount such devices.
Some options:
/media/$UUID
/media/crypt/$DISK_LABEL
/media/luks/$DISK_LABEL
/media/encrypted/$DISK_LABEL
>> Should sudo be called inside the script to mount system disks?
>
> In general I would advice against using sudo in such scripts, but my
> experience with gpg is that running the pass command itself with sudo
> does not work properly. Both for security reasons and to avoid these
> problem I have a separate password-store for the root user that I am
> using to decrypt my devices. However, even this is not trivial use,
> because gpg does not work well with logins via `su -i` or `sudo -i`, so
> I have to login/ssh to the root account directly to use pass.
Perhaps having an optional `exec: sudo` configuration item
printf '%s' $mount_password | $mount_exec \
/sbin/cryptsetup open --type=luks \
/dev/disk/by-uuid/222254e3-c547-4b4e-823a-5181698e0a39 \
luks-222254e3-c547-4b4e-823a-5181698e0a39
An alternative to messing about with sudo might be to just get pass
working as a keyscript in `/etc/crypttab`.
>> The issue with the newline on the end of the keyfile is that udisksctl
>> needs it without a newline, otherwise it ends up with a newline in your
>> password.
>
> Yeah, I am simply using a passwords with the newline. I use this for
> key files, so I am never entering these 4K files manually anyway.
It wouldn't be much to have an option to preserve the newline, but since
the mountpoint config is being stored as a multiline pass entry there
can't be anything following the new line or the config becomes part of
the password.
More information about the Password-Store
mailing list