Re: How to automatically decrypt a disk on connection

[Andrei Borzenkov <arvidjaar@xxxxxxxxx>]

On Wed, Mar 27, 2024 at 12:35 AM Orion Poplawski <orion@xxxxxxxx> wrote:
>
> Sorry this isn't strictly devel - but it is a bit non-standard.
>
> I need to automatically unlock an encrypted disk on connection to a machine,
> with the caveat that I'm not mounting it - instead I want to connect it to a VM.
>
> On machines that we do mount the filesystem, having an fstab entry seems to be
> the key to get the systemd-cryptsetup@luks-UUID service to fire and get the
> disk decrypted.  But lacking that I'm not sure how to get it to trigger.
>
> I do have an entry for the disk in /etc/crypttab:
>
> luks-16f5b686-8669-407b-920d-427fa8b81328
> UUID=16f5b686-8669-407b-920d-427fa8b81328 none _netdev
>
> My current plan had been to use a udev rule to attach the disk to the VM:
>
> ACTION=="change", SUBSYSTEM=="block", ENV{ID_FS_LABEL}=="WEEKLY",
> RUN+="/usr/bin/virsh attach-disk VM %E{DEVNAME} sdc --live"
>
> But perhaps if I have a unit that was dependent on the cryptsetup service much
> like a mount unit may have(?) that could get cryptsetup to fire as well.
>
> This is with systemd-252-18.el9.x86_64
>
> I tried having a udev rule that started the specific
> systemd-cryptsetup@luks-UUID service, but that failed:
>

You did not show this rule, so it is hard to guess why it fails.