f1a536ad8f
Add a luks encryption service which will setup as a systemd service
that manages the creation and configuration of encrypted volume and
runs during the boot process and host unlocking.
This commit covers only the debian packaging framework for
luks-fs-mgr. The code changes below will enable luks-fs-mgr pkg
build and be part of ISO when deployed.
Test Plan:
PASSED: build-pkgs -c -p luks-fs-mgr
PASSED: build-image
PASSED: AIO-SX bootstrap
PASSED: binary available at /usr/local/sbin/
PASSED: systemd unit file available at /lib/systemd/system
PASSED: luks_config.json avaiable at /etc/luks-fs-mgr.d/
PASSED: AIO-SX sudo systemctl status luks-fs-mgr
luks-fs-mgr.service - Create and mount encrypted vault
using LUKS
Loaded: loaded (/lib/systemd/system/luks-fs-mgr.service;
enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2023-08-29 08:18:58 UTC;
2h 16min ago
Main PID: 4607 (code=exited, status=0/SUCCESS)
CPU: 7.063s
Story: 2010872
Task: 48650
Change-Id: I12ca14368eaf466b3148c2de4ce9202a9aa5a19b
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
33 lines
1.7 KiB
Plaintext
33 lines
1.7 KiB
Plaintext
Source: luks-fs-mgr
|
|
Section: admin
|
|
Priority: optional
|
|
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
|
|
Build-Depends: debhelper-compat (= 13),
|
|
libjson-c-dev
|
|
Standards-Version: 4.5.1
|
|
Homepage: https://www.starlingx.io
|
|
|
|
Package: luks-fs-mgr
|
|
Architecture: any
|
|
Depends: ${misc:Depends}, ${shlibs:Depends}, systemd
|
|
Description: Luks encryption service manager
|
|
The Luks Encryption Service Manager operates as an essential component during
|
|
the boot process and host unlocking, serving as a critical safeguard for data
|
|
on StarlingX. This service is responsible for managing the creation,
|
|
configuration, and utilization of encrypted volumes, all in accordance with
|
|
the Linux Unified Key Setup (LUKS) standard. Its functionality is driven by
|
|
the information provided in the luks_config.json file, which acts as a
|
|
blueprint for configuring the encryption process.
|
|
Upon startup, the service reads the luks_config.json file to extract crucial
|
|
parameters, such as the vault file path, volume size, volume name, and
|
|
mounting path. If the service detects that the encryption volume is already
|
|
open, it unseals it. This step ensures a seamless experience for users, as they
|
|
can quickly access their encrypted data without redundant processes.
|
|
However, if the encryption volume is not open, the service dynamically creates
|
|
one based on the parameters defined in the JSON configuration. It initializes
|
|
the vault file using random data, then proceeds to set up the LUKS encryption
|
|
mechanism and unseals the newly created volume.
|
|
To ensure the highest level of security, the Luks Encryption Service Manager
|
|
employs error handling and logging mechanisms, enabling administrators to
|
|
monitor and troubleshoot any issues that may arise.
|