mountecryptfsroot revision 906f8c4ddd784ce0e759dae87bcb0f9c0a1926be
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# (C) Copyright Canonical 2011-2013
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# This library is free software; you can redistribute it and/or
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# modify it under the terms of the GNU Lesser General Public
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# License as published by the Free Software Foundation; either
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# version 2.1 of the License, or (at your option) any later version.
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# This library is distributed in the hope that it will be useful,
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# but WITHOUT ANY WARRANTY; without even the implied warranty of
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# Lesser General Public License for more details.
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# You should have received a copy of the GNU Lesser General Public
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# License along with this library; if not, write to the Free Software
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# This hook can be used to mount an ecryptfs filesystem as a container's
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# To use this hook, assuming your container is called q1,
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# the container's configuration file
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# 3. convert your container's root filesystem to be ecryptfs-backed. Assuming
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# your container is called 'q1', do
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# e. echo $sig > /var/lib/lxc/$c/sig
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# h. umount /var/lib/lxc/$c/rootfs
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# 4. Now you can start your container by adding the passphrase to your
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# container as normal.
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# a. echo none | ecryptfs-add-passphrase
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# b. lxc-start -n q1
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graber# Note that you may well want to use a wrapped passhrase (see the ecryptfs-wrap-passphrase(1) manual page).
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Graberecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
906f8c4ddd784ce0e759dae87bcb0f9c0a1926beStéphane Grabersigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')