blob: 663d7b728e45835f9ee5b0d63bd4d34eb312f341 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
Step: luks
-----------------------------------------------------------------------------
Set up disk encryption using LUKS with the `cryptsetup` utility. The
encryption passphrase is read from a file or from the output of a
command. The encrypted disk gets opened and can be mounted using a
separate tag for the cleartext view.
Step keys:
* `cryptsetup` — REQUIRED; value is the tag for the encrypted
block device. This is not directly useable by users, or mountable.
* `tag` — REQUIRED; the tag for the de-crypted block device.
This is what gets mounted and visible to users.
* `key-file` — OPTIONAL; file from where passphrase is read.
* `key-cmd` — OPTIONAL; command to run, passphrase is the first
line of its standard output.
Example (in the .vmdb file):
- cryptsetup: root
tag: root_crypt
key-file: disk.pass
Same, except run a command to get passphrase (in this case
[pass](https://www.passwordstore.org/)):
- cryptsetup: root
tag: root_crypt
key-cmd: pass show disk-encryption
|