Device mapping & LUKS

Device mapping & LUKS

[Ludovic Courtès]

Hi!

With commit 5dae018, it’s possible to declared “mapped devices”.  I use
it for my /home partition which is LUKS-encrypted:

--8<---------------cut here---------------start------------->8---
(operating-system
  (host-name "pluto")
  (timezone "Europe/Paris")
  (locale "en_US.UTF-8")

  (mapped-devices (list (mapped-device
                         (source "/dev/sda3")
                         (target "home")
                         (command luks-device-mapping))))

  (file-systems (cons* (file-system
                         (device "root")
                         (title 'label)
                         (mount-point "/")
                         (type "ext3"))
                       (file-system
                         (device "/dev/mapper/home")
                         (mount-point "/home")
                         (type "ext3"))
                       %base-file-systems))
  ;;; ...
  )
--8<---------------cut here---------------end--------------->8---

The effect is to run ‘cryptsetup open --type luks /dev/sda3 home’ before
/home is mounted, which prompts for a pass phrase.

I’ll add a section in the manual real soon.

(Conceptually “file systems” and “mapped devices” are about the same,
and the Hurd makes no difference, but I think we have to expose it
separately for the sake of Linux-based systems.)

Ludo’.

Re: Device mapping & LUKS

[Ludovic Courtès]

I’ve now documented the thing, copied below.

Device mapping happens after dmd is started, so it doesn’t work yet,
e.g., for the root file system, but I’ll fix it.

Ludo’.


6.2.3 Mapped Devices
--------------------

The Linux kernel has a notion of "device mapping": a block device, such
as a hard disk partition, can be "mapped" into another device, with
additional processing over the data that flows through it(1).  A typical
example is encryption device mapping: all writes to the mapped device
are encrypted, and all reads are deciphered, transparently.

   Mapped devices are declared using the ‘mapped-device’ form:

     (mapped-device
       (source "/dev/sda3")
       (target "home")
       (type luks-device-mapping))

This example specifies a mapping from ‘/dev/sda3’ to ‘/dev/mapper/home’
using LUKS—the Linux Unified Key Setup
(http://code.google.com/p/cryptsetup), a standard mechanism for disk
encryption.  The ‘/dev/mapper/home’ device can then be used as the
‘device’ of a ‘file-system’ declaration (*note File Systems::).  The
‘mapped-device’ form is detailed below.

 -- Data Type: mapped-device
     Objects of this type represent device mappings that will be made
     when the system boots up.

     ‘source’
          This string specifies the name of the block device to be
          mapped, such as ‘"/dev/sda3"’.

     ‘target’
          This string specifies the name of the mapping to be
          established.  For example, specifying ‘"my-partition"’ will
          lead to the creation of the ‘"/dev/mapper/my-partition"’
          device.

     ‘type’
          This must be a ‘mapped-device-kind’ object, which specifies
          how SOURCE is mapped to TARGET.

 -- Scheme Variable: luks-device-mapping
     This defines LUKS block device encryption using the ‘cryptsetup’
     command, from the same-named package.  This relies on the
     ‘dm-crypt’ Linux kernel module.

   ---------- Footnotes ----------

   (1) Note that the GNU Hurd makes no difference between the concept of
a “mapped device” and that of a file system: both boil down to
_translating_ input/output operations made on a file to operations on
its backing store.  Thus, the Hurd implements mapped devices, like file
systems, using the generic "translator" mechanism (*note
(hurd)Translators::).