View previous topic :: View next topic |
Author |
Message |
curmudgeon Veteran
Joined: 08 Aug 2003 Posts: 1741
|
Posted: Mon Feb 13, 2017 5:55 pm Post subject: Is there a way for ondinary users to mount luks+lvm? |
|
|
Probably set this up wrong, but here is what I did:
Code: |
# cryptsetup -v luksFormat /dev/sdb
# cryptsetup luksHeaderBackup /dev/sdb --header-backup-file disk.img
# cryptsetup open /dev/sdb disk
# pvcreate /dev/mapper/disk
# vgcreate vgdisk /dev/mapper/disk
# lvcreate -L 200G -n storage0 vgdisk
# lvcreate -L 200G -n storage1 vgdisk
# mke2fs -b 4096 -L storage0 -m 0 -O ^extra_isize -t ext4 -v /dev/mapper/vgdisk-storage0
# mke2fs -b 4096 -L storage1 -m 0 -O ^extra_isize -t ext4 -v /dev/mapper/vgdisk-storage1
# dmsetup remove vgdisk-storage0
# dmsetup remove vgdisk-storage1
# cryptsetup close /dev/mapper/disk
|
My problem is that I need to have an ordinary (non-root) user be able to mount storage0 and storage1. This is often not a problem using (for example) kde (which prompts for the password, and then mounts non-lvm luks filesystems), but that doesn't work in this case ("You are not authorized to mount this device").
Is there some way (tools) or set of permissions so that an ordinary user can mount these?
Thank you in advance. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3135
|
Posted: Mon Feb 13, 2017 8:30 pm Post subject: |
|
|
Ehm... add "user" to options in /etc/fstab?
This will let a non-root user mount t he device
Regarding decryption itself, you could read password from fifo.
Create fifo with write-only permissions for all users and read permission for root. Initiate decryption in a service and provide that fifo as a source file. Cryptsetup will freez until some other process writes password into that fifo.
Once some user provides password, root-owned process will decrypt the device. |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon Feb 13, 2017 8:39 pm Post subject: |
|
|
Most GUI frontends just expect there to be a filesystem and not yet another layer when they open a LUKS container for you. Of course you can write your own scripts to get around it, but if you want it to work out of the box, then you should remove the unnecessary complications, i.e. LVM inside LUKS. If you want LVM, why not put LUKS on each LV instead? |
|
Back to top |
|
|
|