Extension: pass-mount 0.1.0 released

William Morris me at williammorris.com
Tue Mar 17 05:45:50 CET 2020


https://github.com/HXR/pass-mount
0.1.1 now supports mounting with `cryptsetup` via `sudo`

On 3/7/20 7:03 PM, William Morris wrote:
> 
> 
> On 3/7/20 1:32 PM, Johannes Larsen wrote:
>> 2020-03-07 12:33:08 -0500, William Morris <me at williammorris.com> wrote:
>>> `cryptsetup` support for systems without udisks is planned, however
>>> feedback is needed on the naming of the device-mapper entry and the
>>> mount point.
>>
>> UUID is not a bad idea. I am using the entry name for those, but that is
>> because the device is a parameter to my scripts. It adds some
>> restriction on the entry names (e.g. no subdirectories), but I am fine
>> with that. I am using, and would think (see `man 7 hier`), /media is
>> more appropriate place to mount such devices.
> 
> Some options:
>   /media/$UUID
>   /media/crypt/$DISK_LABEL
>   /media/luks/$DISK_LABEL
>   /media/encrypted/$DISK_LABEL
> 
>>> Should sudo be called inside the script to mount system disks?
>>
>> In general I would advice against using sudo in such scripts, but my
>> experience with gpg is that running the pass command itself with sudo
>> does not work properly. Both for security reasons and to avoid these
>> problem I have a separate password-store for the root user that I am
>> using to decrypt my devices. However, even this is not trivial use,
>> because gpg does not work well with logins via `su -i` or `sudo -i`, so
>> I have to login/ssh to the root account directly to use pass.
> 
> Perhaps having an optional `exec: sudo` configuration item
> 
> printf '%s' $mount_password | $mount_exec \
> /sbin/cryptsetup open --type=luks \
> /dev/disk/by-uuid/222254e3-c547-4b4e-823a-5181698e0a39 \
> luks-222254e3-c547-4b4e-823a-5181698e0a39
> 
> An alternative to messing about with sudo might be to just get pass
> working as a keyscript in `/etc/crypttab`.
> 
>>> The issue with the newline on the end of the keyfile is that udisksctl
>>> needs it without a newline, otherwise it ends up with a newline in your
>>> password.
>>
>> Yeah, I am simply using a passwords with the newline. I use this for
>> key files, so I am never entering these 4K files manually anyway.
> 
> It wouldn't be much to have an option to preserve the newline, but since
> the mountpoint config is being stored as a multiline pass entry there
> can't be anything following the new line or the config becomes part of
> the password.
> 


More information about the Password-Store mailing list