Forge Home

dm_crypt

configure an encrypted filesystem with dm crypt on linux

24,324 downloads

490 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.4.0 (latest)
  • 0.3.0
released Jun 7th 2022
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet 4.x

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'kpn-dm_crypt', '0.4.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add kpn-dm_crypt
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install kpn-dm_crypt --version 0.4.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: dm-crypt

Documentation

kpn/dm_crypt — version 0.4.0 Jun 7th 2022

dm_crypt

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Reference
  6. Limitations
  7. Development

Overview

This module will create a encrypted partion for a device using dm-crypt cryptsetup. Be very carefull to keep you secret otherwise your data is never accessable again.

Module Description

This module creates an encrypted partion on a disk device with the executable cryptsetup. You need to specify the disk device which will be encrypted. You need to specitfy the mount point to mount the encrypted partition. You need to specify the filesystem type to format the encrypted partition. You need to supply a base64 encrypted password based on the puppet agent certificates.

Setup

Setup Requirements

This module requires:

What dm_crypt affects

  • The package cryptsetup will be installed.
  • The directory path of the suplied mountpoint will be created.
  • cryptsetup is used to create the encrypted luks device with a key based on the supplied password.
  • cryptsetup will open de the device with a label (label will be the last directory of the supplied mountpoint).
  • mkfs will format de newly created encrypted partion /dev/mapper/
  • the new device will be mounted on the suplied mountpoint.

You have to supply a base64 encrypted password based on the puppet agents certificates to create the partion. Keep this password on a safe place because it is needed to open and mount the device otherwise you're data is never accessable again. For example creating a base64 encrypted password based on de puppet agent public key: echo "my secret passphrase" | openssl rsautl -encrypt -inkey /etc/puppetlabs/puppet/ssl/public_keys/hostname.pem -pubin | base64 | tr -d "\n"

There is also a generated fact called encrypted_secret that can be used as password. This fact is stored in the file /opt/puppetlabs/facter/facts.d/encrypted_secret.yaml.

Beginning with dm_crypt

Usage

Parameters

This module accepts the following parameters:

String $disk_device, String $mount_point, String $filesystem_type, String $password, String $config_ensure, String $pacakge_ensure, String $package_name,

disk_device (required)

Type: string Default: undef Values: any valid string representing a existing disk device for example /dev/sdb Description: This parameter contains a tring with the disk device used for the encrypted partition

mount_point (required)

Type: string Default: undef Values: any valid string with a valid abslotu path of the mount point where the encrypted partion will be mounted Description: This parameter contains the mount point an the last directory of the path will be used as the label for the encrypted luks device

filesytem_type (required)

Type: Enum[string] Default: undef Values: 'ext4' or 'xfs' Description: This parameter contains the filesystem type for mkfs to format the new encrypted partion.

password (required)

type: string Default: undef Values: base64 encrypted string based on the puppet agent certificates Description: This parameter contains the encrypted password in base64 format encryption based on the puppet agent certificates you can supply this password as external fact encrypted_secret

config_ensure

Type: string Default: 'present' Values: 'present', 'absent' Description: Ensures that resource will be created or removed. Be carefull to remove the resource because any data on the encrypted partition will be lost

package_ensure

Type: string Default: 'present' Values: 'present', 'absent' Description: Ensures that package will be installed or removed. Be carefull to remove the resource because any data on the encrypted partition will be lost

package_name

Type: string Default: 'cryptsetup' Values: any velis sting with the coreect package name Description: The package that will be installed.

Examples

Example 1: Setting the default values for the module

  $encrypted_secret = 'QyY9BNdBSvee5q2H+CzDr8BsSvxPkrSLzvEro8FnwJ8EBCk5/DtGrSU/diBkUHXGqezggZnJumlLwwXIXG+G1/7X+VDwSIoKqnTq/VKzzve8t1My8fZnbuQLS/iTac06umAkqvJbMCc8R+Kl9a8sovxnZa3d9rTu4eMLb5hnWfpFpv9mK2XbbkCsWJqdzDv+XSsEr6nnnyxzsIJ8F8O2SxCvJkR0gHpVdBmNREMbEdAqVXQSeV1eKr4rNitM1CUZq/yi62yjbxQGAj7epZGe0eu6DGFXuoZqh/eAnC4e5XaWh3XxQAFq30vlY953G9yR3l+bFg/MFRmZU4vwaHvWh1D3Bn9O9c8WiW6lc0kUgm/8NfOejPgipOL3r7VhbNdQpyP/rhvvagyuM00dAukd5ATFbi2AnM3C9JQfws8glN+jHOR01N6o3OynfbE3SZrq229XTZM9m3rRWUglbPQFUlNH3M+LjNvdrQGlNVr/3utGUhfUv4OzZz9B5JiMpYO8nBjvbhYeLttOnRJ5G10BSd/9vufJWOh1FkGoVnkBknzjzhc3cRe08uI2T6r6lD4DKpujK0rzgcR15U/fg9BBZLGgD2+vUVvb95SxNY9bgVtk7ZhBYG065828i1omt7C4F7rkWPtcSovts9U1OAjKqsQ5yfFlmqjjRwr9gwyFWbE='
  class { 'dm_crypt':
    ensure          => 'present',
    disk_device     => '/dev/sdb',
    mount_point     => '/apps/postgresDB',
    filesystem_type => 'ext4',
    password        => $encrypted_secret,
  }

Example 2: Use generated encrypted_secret fact

  class { 'dm_crypt':
    ensure          => 'present',
    disk_device     => '/dev/sdb',
    mount_point     => '/apps/postgresDB',
    filesystem_type => 'ext4',
    password        => $::facts['encrypted_secret'],
  }

Reference

classes:

types:

  • lib/puppet/type/crypt.rb

providers:

  • lib/puppet/providers/crypt/rhel7.rb
  • lib/puppet/providers/crypt/rhel6.rb

Limitat ions

This module works only on:

  • RedHat 6
  • RedHat 7

Development

You can contribute by submitting issues, providing feedback and joining the discussions.

Go to: https://github.com/kpn-puppet/puppet-kpn-dm_crypt

If you want to fix bugs, add new features etc:

  • Fork it
  • Create a feature branch ( git checkout -b my-new-feature )
  • Apply your changes and update rspec tests
  • Run rspec tests ( bundle exec rake spec )
  • Commit your changes ( git commit -am 'Added some feature' )
  • Push to the branch ( git push origin my-new-feature )
  • Create new Pull Request