debops.cryptsetup allows you to configure encrypted filesystems on top of
any given block device using dm-crypt/cryptsetup and LUKS. A random
keyfile generated on the Ansible controller will be used for the encryption by
default. It is your responsibility that the keyfile is kept secure for this to
make sense. For example by storing the keyfile on an already encrypted
filesystem (both on the Ansible controller and the remote system).
Create a random keyfile or use an already existing keyfile.
/etc/fstaband mount point directories.
Create a LUKS header backup and store it on the Ansible controller.
Decrypt and mount an encrypted filesystem and never store any key material on persistent storage on the remote system. You might need to take care of your Swap space yourself for this!
Setup an encrypted swap space (with random key or with persistent key).
Setup filesystems using a random key on boot.
cryptsetup plain, LUKS, TrueCrypt and VeraCrypt mode.
Multiple ciphers and corresponding keys chained to encrypt one filesystem.
- Getting started
- Guides and examples
- debops.cryptsetup default variables
- Default variable details
debops.cryptsetup - Setup and manage encrypted filesystems
Copyright (C) 2015-2020 Robin Schneider <email@example.com>
Copyright (C) 2015-2020 DebOps <https://debops.org/>
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.