In response to my question How to mount a cryptsetup container just with
mount? over at unix.SE, I realized that
mount -t luks will call the script
mount.luks, which currently looks like this:
MAPPER=$(mktemp -up /dev/mapper)
cryptsetup luksOpen $1 $(basename $MAPPER)
mount $MAPPER $* || cryptsetup luksClose $(basename $MAPPER)
That is, it determines an unused mapper name that cryptsetup can use to mount a LUKS/dm-crypt encrypted device (I know the
$* is dangerously prone to recursion if subtypes are involved, consider this a prototype) after decrypting it (after prompting for the passphrase).
The problem is, the resulting entry of
mount -t luks /dev/hda /mnt/decrypted in
/etc/mtab will look something like
/dev/mapper/tmp.mpI5ClExf8 on /mnt/decrypted type ext3 (rw,relatime,errors=continue,data=writeback)
umount /dev/hda will fail and
umount /mnt/decrypted will only unmount the mapper but leave the encrypted device open. The mapper is also rather irrelevant. What I'd like to achieve is having an entry à la
/dev/hda on /mnt/decrypted type luks.ext3 (rw,relatime,errors=continue,data=writeback,mapper=/dev/mapper/tmp.mpI5ClExf8)
umount will call
umount.luks, which may be something like
cryptsetup luksClose $MAPPER
(Again, prototype, this would only treat the
umount /mnt/decrypted call correctly and
MAPPER needs to be obtained from the mount option)
So, how does
mount.luks have to be modified? Directly modifying
/etc/mtab is certainly a bad idea. (Can e.g.
mount -n and
mount -f achieve this somehow?)
I know this question is old, but I came across it when searching for an answer myself.
If you have a new enough distro, e.g. Fedora 20, then you can modify your mount.luks script to include
#!/bin/bash set -e MAPPER=$(mktemp -up /dev/mapper) cryptsetup luksOpen $1 $(basename $MAPPER) shift mount -o helper=luks $MAPPER $* || cryptsetup luksClose $(basename $MAPPER)
umount uses the value of helper to determine the proper umount script to run, similar to the way that mount works with the -t option.
Note: on Fedora 20, /etc/mtab is a symlink to /proc/self/mounts. If you cat /etc/mtab the helper option does not show up. However, if you execute mount with no options, the helper option will appear.