Auto-mounting and decrypting disk on AppVM startup

Hello,

I have a second disk /dev/sdX for my data supposed to be different from the QubesOS System disk.

I would like this data disk to be only unencrypted when I start my AppVM and not before.

I use cryptsetup and Luks for encryption and the AppVM run on Fedora30.

My steps:

  • qvm-block attach --persistent AppVM dom0:sdX
  • create a keyfile to unencrypt the dev and create mapper
  • mount the mapper to destination folder sudo mount /dev/mapper/xvdi_crypt /mount/point

These 3 steps work perfectly if I execute them via command line (CLI).

However, I would like the disk to be mounted when AppVM starts.
On a default Linux I would create:

  • /etc/crypttab to create the mapper (giving keyfile as entry + mapper_name)
  • /etc/fstab to mount the disk at start

I made sure to have these 2 files persistent in /rw/config

Now, if I try a sudo mount -a
I get

mount: /mount/point: special device /dev/mapper/xvdi_crypt does not exist.

It looks like the crypttab is not used.
What am I missing? Do I have alternative (running a cron when start AppVM to execute CLI?)

Thank you for your help!

Hi there,

It seems I managed to solve this by:

  1. in dom0 terminal qvm-block attach --persistent AppVM dom0:sdX
  2. edit (as root) the file # vi /rw/config/rc.local
  3. in /rw/config/rc.local I added
    3.1) cryptsetup -d /path/to/keyfile luksOpen /dev/xvdi xvdi_crypt
    3.4) mount /dev/mapper/xvdi_crypt /mount/point

I am not sure the disk is fully encrypted (not unencrypted) for dom0?

Question: how to mark this post as “solved”?

Thank you,

Hi there @jKER24qP welcome to the forum!

Glad you’ve managed to solve it. I would agree with you that something like that would normally be handled by /etc/fstab. But I’m not very proficient in that.

Let me just try to rephrase the problem: auto-mounting and decrypting disk on AppVM startup

Is that correct?

I think you just did :slight_smile:

Hi there,

Well, I first though it should be handled by /etc/fstab but it works with decryption + mount from /rw/config/rc.local
I keep it like that until I discover there is an issue with this solution :slight_smile:

auto-mounting and decrypting disk on AppVM startup

Yes, better title for my issue - I let you edit the topic?

Thank you,

1 Like

If it ain’t broke, don’t fix it – as they say. (factoring security too)

:+1: done!