From 637f8df83726ab9b50e8a6d2181bd1e0e93ec13e Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones@redhat.com>
Date: Wed, 21 Jul 2010 19:50:06 +0100
Subject: New APIs: Support for opening LUKS-encrypted disks.

This adds support for opening LUKS-encrypted disks, via
three new APIs:

  luks_open:    Create a mapping for an encrypted disk.
  luks_open_ro: Same, but read-only mapping.
  luks_close:   Close a mapping.

A typical guestfish session using this functionality looks
like this:

  $ guestfish --ro -a encrypted.img
  ><fs> run
  ><fs> list-devices
  /dev/vda
  ><fs> list-partitions
  /dev/vda1
  /dev/vda2
  ><fs> vfs-type /dev/vda2
  crypto_LUKS
  ><fs> luks-open /dev/vda2 luksdev
  Enter key or passphrase ("key"):
  ><fs> vgscan
  ><fs> vg-activate-all true
  ><fs> pvs
  /dev/dm-0
  ><fs> vgs
  vg_f13x64encrypted
  ><fs> lvs
  /dev/vg_f13x64encrypted/lv_root
  /dev/vg_f13x64encrypted/lv_swap
  ><fs> mount /dev/vg_f13x64encrypted/lv_root /
  ><fs> ll /
  total 132
  dr-xr-xr-x.  24 root root  4096 Jul 21 12:01 .
  dr-xr-xr-x   20 root root     0 Jul 21 20:06 ..
  drwx------.   3 root root  4096 Jul 21 11:59 .dbus
  drwx------.   2 root root  4096 Jul 21 12:00 .pulse
  -rw-------.   1 root root   256 Jul 21 12:00 .pulse-cookie
  dr-xr-xr-x.   2 root root  4096 May 13 03:03 bin

NOT included in this patch:

 - An easier way to use this from guestfish.
 - Ability to create LUKS devices.
 - Ability to change LUKS keys on existing devices.
 - Direct access to the /dev/mapper device (eg. if it contains
   anything apart from VGs).
---
 fish/guestfish.pod | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

(limited to 'fish/guestfish.pod')

diff --git a/fish/guestfish.pod b/fish/guestfish.pod
index 86dcf58c..bfcec5cc 100644
--- a/fish/guestfish.pod
+++ b/fish/guestfish.pod
@@ -530,6 +530,39 @@ it, eg:
 
  echo "~"
 
+=head1 ENCRYPTED DISKS
+
+Libguestfs has some support for Linux guests encrypted according to
+the Linux Unified Key Setup (LUKS) standard, which includes nearly all
+whole disk encryption systems used by modern Linux guests.  Currently
+only LVM-on-LUKS is supported.
+
+Identify encrypted block devices and partitions using L</vfs-type>:
+
+ ><fs> vfs-type /dev/sda2
+ crypto_LUKS
+
+Then open those devices using L</luks-open>.  This creates a
+device-mapper device called C</dev/mapper/luksdev>.
+
+ ><fs> luks-open /dev/sda2 luksdev
+ Enter key or passphrase ("key"): <enter the passphrase>
+
+Finally you have to tell LVM to scan for volume groups on
+the newly created mapper device:
+
+ ><fs> vgscan
+ ><fs> vg-activate-all true
+
+The logical volume(s) can now be mounted in the usual way.
+
+Before closing a LUKS device you must unmount any logical volumes on
+it and deactivate the volume groups by calling C<vg-activate false VG>
+on each one.  Then you can close the mapper device:
+
+ ><fs> vg-activate false /dev/VG
+ ><fs> luks-close /dev/mapper/luksdev
+
 =head1 WINDOWS PATHS
 
 If a path is prefixed with C<win:> then you can use Windows-style
-- 
cgit