debops.cryptsetup default variables¶
Sections
Required packages¶
-
cryptsetup__base_packages
¶
List of base packages to install.
cryptsetup__base_packages:
- 'cryptsetup'
List of encrypted filesystems¶
-
cryptsetup__devices
¶
Global definition list of encrypted devices.
Refer to the documentation of all options for more details.
cryptsetup__devices: []
-
cryptsetup__group_devices
¶
Host group definition list of encrypted devices.
cryptsetup__group_devices: []
-
cryptsetup__host_devices
¶
Host definition list of encrypted devices.
cryptsetup__host_devices: []
-
cryptsetup__combined_devices
¶
Combined list of encrypted devices in the order as they will be processed.
cryptsetup__combined_devices: '{{
(cryptsetup__devices | list) +
(cryptsetup__group_devices | list) +
(cryptsetup__host_devices | list) }}'
-
cryptsetup__devices_execution_strategy
¶
The execution strategy to use for processing the
cryptsetup__combined_devices
list.
serial
Process one device at a time (from start to finish) before processing the next one in the list.
This is more verbose.
parallel
Process all devices in parallel meaning that every task (like creating the keyfile or initializing LUKS) is done with all devices at a time before moving on to the next task. This means that all devices will be done at the same time.
This is more compact.
You will only need to change this when you want to use the Plaintext device mapper target of one item as the Ciphertext block device of another item. Refer to Example for chaining multiple ciphers for details.
cryptsetup__devices_execution_strategy: 'parallel'
Keyfile settings¶
-
cryptsetup__secret_path
¶
Location where keyfiles are generated and stored on the Ansible controller.
cryptsetup__secret_path: '{{ secret + "/cryptsetup/" + ansible_fqdn }}'
-
cryptsetup__secret_owner
¶
System user who owns the secret directory and all files in it on the Ansible controller.
You might want to change that if you run this role as root on the Ansible
controller itself but the secrets directory is managed by another user.
The default is set to the special value omit
to use the owner under which
the role is run.
cryptsetup__secret_owner: '{{ omit }}'
-
cryptsetup__secret_group
¶
System group of the secret directory and all files in it on the Ansible controller.
You might want to change that if you run this role as root on the Ansible
controller itself but the secrets directory is managed by another user.
The default is set to the special value omit
to use the primary group
under which the role is run.
cryptsetup__secret_group: '{{ omit }}'
-
cryptsetup__secret_mode
¶
File mode used for the secret directory and all files in it on the Ansible controller.
cryptsetup__secret_mode: 'u=rwX,g=,o='
-
cryptsetup__keyfile_remote_location
¶
Directory where the keyfiles will be stored on the remote system.
cryptsetup__keyfile_remote_location: '{{ (ansible_local.fhs.var | d("/var/local"))
+ "/keyfiles" }}'
-
cryptsetup__keyfile_owner
¶
System user who owns the keyfiles on the remote system.
cryptsetup__keyfile_owner: 'root'
-
cryptsetup__keyfile_group
¶
System group of the keyfiles on the remote system.
cryptsetup__keyfile_group: 'root'
-
cryptsetup__keyfile_mode
¶
File mode used for the keyfiles on the remote system.
cryptsetup__keyfile_mode: '0600'
-
cryptsetup__keyfile_source_dev
¶
The source device where the keyfile will be read from using dd.
cryptsetup__keyfile_source_dev: '/dev/random'
-
cryptsetup__keyfile_gen_type
¶
Type of keyfile to generate. Supported choices: binary
, text
.
Refer to item.keyfile_gen_type for details.
cryptsetup__keyfile_gen_type: 'binary'
-
cryptsetup__keyfile_gen_command
¶
The command which should be used to generate the keyfile when
item.keyfile_gen_type is set to
text
.
Refer to item.keyfile_gen_command for details.
cryptsetup__keyfile_gen_command: 'pwgen --secure 123 1'
-
cryptsetup__keyfile_shred_command
¶
Command plus options to use when shredding/deleting the keyfile on the remote system. The file to delete will be passed as last argument.
Depending on which filesystem and lower levels the keyfile is stored on, the
shred
operation might be of limited use e. g. because of snapshots or
copy-on-write. Try it anyway.
Note that there is still at least one copy of the keyfile on the Ansible controller.
cryptsetup__keyfile_shred_command: 'shred --remove --zero --iterations=42'
LUKS header backup¶
-
cryptsetup__header_backup_remote_location
¶
Directory where the header backups from LUKS will be stored on the remote system.
The LUKS header backup will be stored in this file:
1 | {{ cryptsetup__header_backup_remote_location + "/" + item.name + "_header_backup.raw" }}
|
on the Ansible controller.
cryptsetup__header_backup_remote_location: '{{ (ansible_local.fhs.backup | d("/var/backups"))
+ "/luks_header_backup" }}'
-
cryptsetup__header_backup
¶
Should a header backup be created and stored on the remote system and the Ansible controller? Refer to item.backup_header for details.
cryptsetup__header_backup: True
-
cryptsetup__header_backup_shred_command
¶
Command plus options to use when shredding/deleting the header backup on the remote system. The file to delete will be passed as last argument.
This is technically not needed as the LUKS header is still present and
left intact on the ciphertext block device, but absent
is designed to
remove all files/traces previously created by the role.
Also note the comment about the effectiveness on
cryptsetup__keyfile_shred_command
.
cryptsetup__header_backup_shred_command: 'shred --remove --zero --iterations=2'
Ciphertext block device options¶
-
cryptsetup__use_uuid
¶
Use the UUID of the ciphertext block device in /etc/crypttab
instead
of the file path given by
item.ciphertext_block_device.
Refer to item.use_uuid for details.
cryptsetup__use_uuid: True
Swap options¶
-
cryptsetup__swap_priority
¶
Default swap device priority, from -1
to 32767
.
Higher numbers indicate higher priority.
Refer to item.swap_priority for details.
cryptsetup__swap_priority: -1
Filesystem options¶
-
cryptsetup__fstype
¶
Default filesystem to create and configure in /etc/fstab
.
Refer to item.fstype for details.
cryptsetup__fstype: 'ext4'
-
cryptsetup__fstab_file
¶
File path to the fstab(5) file where file systems should be configured.
cryptsetup__fstab_file: '/etc/fstab'
-
cryptsetup__mount_options
¶
List of default mount options. Refer to item.mount_options for details.
cryptsetup__mount_options:
- 'noatime'
- 'nodiratime'
-
cryptsetup__state
¶
Default state
for all devices.
Refer to item.state for details.
cryptsetup__state: 'mounted'
-
cryptsetup__mountpoint_parent_directory
¶
Parent directory under which all encrypted filesystems will be mounted.
cryptsetup__mountpoint_parent_directory: '/media'
Cryptography defaults¶
-
cryptsetup__crypttab_options
¶
Default list of options to configure for each device in
/etc/crypttab
.
Refer to item.crypttab_options for details.
cryptsetup__crypttab_options: []
-
cryptsetup__crypttab_file
¶
File path to the crypttab(5) file where encrypted file systems should be configured.
cryptsetup__crypttab_file: '/etc/crypttab'
-
cryptsetup__hash
¶
Specifies the passphrase hash.
For the luks
item.mode it
specifies the hash used in the LUKS key setup scheme and
volume key digest for cryptsetup luksFormat.
Corresponds with the --hash
parameter.
The current default of cryptsetup (as shown by
cryptsetup --help) is sha1
.
Set to default
to use the compiled-in default of cryptsetup.
Refs: https://security.stackexchange.com/a/40218
This is the default for item.hash.
cryptsetup__hash: 'sha512'
-
cryptsetup__cipher
¶
Cipher specification string.
Corresponds with the --cipher
parameter.
The current default of cryptsetup (as shown by
cryptsetup --help) is aes-xts-plain64
.
Set to default
to use the compiled-in default of cryptsetup.
This is the default for item.cipher.
cryptsetup__cipher: 'aes-xts-plain64'
-
cryptsetup__key_size
¶
Key size in bits. The argument has to be a multiple of 8. The possible
key-sizes are limited by the cipher
and mode used.
Corresponds with the --key-size
parameter.
The current default of cryptsetup (as shown by
cryptsetup --help) is 256
.
Set to default
to use the compiled-in default of cryptsetup.
Note that in XTS mode, only half of the key size specified here will be used for the block cypher (512 will result in AES-256). Using AES-128 is still considered secure and is faster in most cases. The reason to go with a different default value then the compiled-in default of cryptsetup was to have long-term secure storage even when quantum-computing become available to your adversary. Plus, with hardware acceleration available in most x86 CPUs nowadays, it really does not make much of a difference anymore (at least for AES).
Refs: https://crypto.stackexchange.com/a/7869
This is the default for item.key_size.
cryptsetup__key_size: 512
-
cryptsetup__use_dev_random
¶
Should /dev/random
be used to generate the LUKS master key?
Corresponds with the --use-random
and --use-urandom
parameters.
The current default of cryptsetup (as shown by
cryptsetup --help) is /dev/urandom
.
Set to default
to use the compiled-in default of cryptsetup.
Check random(4) and https://bettercrypto.org/ for details.
cryptsetup__use_dev_random: True
-
cryptsetup__iter_time
¶
The number of milliseconds to spend with PBKDF2 passphrase processing.
Corresponds with the --iter-time
parameter.
The current default of cryptsetup (as shown by
cryptsetup --help) is 1000
milliseconds.
Set to default
to use the compiled-in default of cryptsetup.
This is the default for item.iter_time.
cryptsetup__iter_time: 'default'
Configuration for other Ansible roles¶
-
cryptsetup__persistent_paths__dependent_paths
¶
Configuration for the debops.persistent_paths.
cryptsetup__persistent_paths__dependent_paths:
'50_debops_cryptsetup':
by_role: 'debops.cryptsetup'
paths:
- '{{ cryptsetup__fstab_file }}'
- '{{ cryptsetup__crypttab_file }}'
- '{{ cryptsetup__keyfile_remote_location }}'
- '{{ cryptsetup__header_backup_remote_location }}'
- '{{ cryptsetup__mountpoint_parent_directory }}'