diff options
| author | Richard Jones <rjones@redhat.com> | 2010-07-21 19:50:06 +0100 |
|---|---|---|
| committer | Richard Jones <rjones@redhat.com> | 2010-07-21 20:48:40 +0100 |
| commit | 637f8df83726ab9b50e8a6d2181bd1e0e93ec13e (patch) | |
| tree | 77e97218a0f9c570bb93b3c913a3f77c51866b4e /fish/guestfish.pod | |
| parent | 581a7965faa5bf242ab3f8b7c259ab17c2e967f4 (diff) | |
| download | libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.tar.gz libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.tar.xz libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.zip | |
New APIs: Support for opening LUKS-encrypted disks.
This adds support for opening LUKS-encrypted disks, via
three new APIs:
luks_open: Create a mapping for an encrypted disk.
luks_open_ro: Same, but read-only mapping.
luks_close: Close a mapping.
A typical guestfish session using this functionality looks
like this:
$ guestfish --ro -a encrypted.img
><fs> run
><fs> list-devices
/dev/vda
><fs> list-partitions
/dev/vda1
/dev/vda2
><fs> vfs-type /dev/vda2
crypto_LUKS
><fs> luks-open /dev/vda2 luksdev
Enter key or passphrase ("key"):
><fs> vgscan
><fs> vg-activate-all true
><fs> pvs
/dev/dm-0
><fs> vgs
vg_f13x64encrypted
><fs> lvs
/dev/vg_f13x64encrypted/lv_root
/dev/vg_f13x64encrypted/lv_swap
><fs> mount /dev/vg_f13x64encrypted/lv_root /
><fs> ll /
total 132
dr-xr-xr-x. 24 root root 4096 Jul 21 12:01 .
dr-xr-xr-x 20 root root 0 Jul 21 20:06 ..
drwx------. 3 root root 4096 Jul 21 11:59 .dbus
drwx------. 2 root root 4096 Jul 21 12:00 .pulse
-rw-------. 1 root root 256 Jul 21 12:00 .pulse-cookie
dr-xr-xr-x. 2 root root 4096 May 13 03:03 bin
NOT included in this patch:
- An easier way to use this from guestfish.
- Ability to create LUKS devices.
- Ability to change LUKS keys on existing devices.
- Direct access to the /dev/mapper device (eg. if it contains
anything apart from VGs).
Diffstat (limited to 'fish/guestfish.pod')
| -rw-r--r-- | fish/guestfish.pod | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/fish/guestfish.pod b/fish/guestfish.pod index 86dcf58c..bfcec5cc 100644 --- a/fish/guestfish.pod +++ b/fish/guestfish.pod @@ -530,6 +530,39 @@ it, eg: echo "~" +=head1 ENCRYPTED DISKS + +Libguestfs has some support for Linux guests encrypted according to +the Linux Unified Key Setup (LUKS) standard, which includes nearly all +whole disk encryption systems used by modern Linux guests. Currently +only LVM-on-LUKS is supported. + +Identify encrypted block devices and partitions using L</vfs-type>: + + ><fs> vfs-type /dev/sda2 + crypto_LUKS + +Then open those devices using L</luks-open>. This creates a +device-mapper device called C</dev/mapper/luksdev>. + + ><fs> luks-open /dev/sda2 luksdev + Enter key or passphrase ("key"): <enter the passphrase> + +Finally you have to tell LVM to scan for volume groups on +the newly created mapper device: + + ><fs> vgscan + ><fs> vg-activate-all true + +The logical volume(s) can now be mounted in the usual way. + +Before closing a LUKS device you must unmount any logical volumes on +it and deactivate the volume groups by calling C<vg-activate false VG> +on each one. Then you can close the mapper device: + + ><fs> vg-activate false /dev/VG + ><fs> luks-close /dev/mapper/luksdev + =head1 WINDOWS PATHS If a path is prefixed with C<win:> then you can use Windows-style |