luks_device – Manage encrypted (LUKS) devices

From Get docs
Ansible/docs/2.8/modules/luks device module


luks_device – Manage encrypted (LUKS) devices

New in version 2.8.


Synopsis

  • Module manages LUKS on given device. Supports creating, destroying, opening and closing of LUKS container and adding or removing new keys.

Requirements

The below requirements are needed on the host that executes this module.

  • cryptsetup
  • wipefs
  • lsblk

Parameters

Parameter Choices/Defaults Comments

device

string

Device to work with (e.g. /dev/sda1). Needed in most cases. Can be omitted only when state=closed together with name is provided.

force_remove_last_key

boolean

  • no

  • yes

If set to yes, allows removing the last key from a container.

BEWARE that when the last key has been removed from a container, the container can no longer be opened!

keyfile

path

Used to unlock the container and needed for most of the operations. Parameter value is the path to the keyfile with the passphrase.

BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected.

name

string

Sets container name when state=opened. Can be used instead of device when closing the existing container (i.e. when state=closed).

new_keyfile

path

Adds additional key to given container on device. Needs keyfile option for authorization. LUKS container supports up to 8 keys. Parameter value is the path to the keyfile with the passphrase.

NOTE that adding additional keys is not idempotent. A new keyslot will be used even if another keyslot already exists for this keyfile.

BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected.

remove_keyfile

path

Removes given key from the container on device. Does not remove the keyfile from filesystem. Parameter value is the path to the keyfile with the passphrase.

NOTE that removing keys is not idempotent. Trying to remove a key which no longer exists results in an error.

NOTE that to remove the last key from a LUKS container, the force_remove_last_key option must be set to yes.

BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected.

state

string

  • present

  • absent
  • opened
  • closed

Desired state of the LUKS container. Based on its value creates, destroys, opens or closes the LUKS container on a given device.

present will create LUKS container unless already present. Requires device and keyfile options to be provided.

absent will remove existing LUKS container if it exists. Requires device or name to be specified.

opened will unlock the LUKS container. If it does not exist it will be created first. Requires device and keyfile to be specified. Use the name option to set the name of the opened container. Otherwise the name will be generated automatically and returned as a part of the result.

closed will lock the LUKS container. However if the container does not exist it will be created. Requires device and keyfile options to be provided. If container does already exist device or name will suffice.



Examples

- name: create LUKS container (remains unchanged if it already exists)
  luks_device:
    device: "/dev/loop0"
    state: "present"
    keyfile: "/vault/keyfile"

- name: (create and) open the LUKS container; name it "mycrypt"
  luks_device:
    device: "/dev/loop0"
    state: "opened"
    name: "mycrypt"
    keyfile: "/vault/keyfile"

- name: close the existing LUKS container "mycrypt"
  luks_device:
    state: "closed"
    name: "mycrypt"

- name: make sure LUKS container exists and is closed
  luks_device:
    device: "/dev/loop0"
    state: "closed"
    keyfile: "/vault/keyfile"

- name: create container if it does not exist and add new key to it
  luks_device:
    device: "/dev/loop0"
    state: "present"
    keyfile: "/vault/keyfile"
    new_keyfile: "/vault/keyfile2"

- name: add new key to the LUKS container (container has to exist)
  luks_device:
    device: "/dev/loop0"
    keyfile: "/vault/keyfile"
    new_keyfile: "/vault/keyfile2"

- name: remove existing key from the LUKS container
  luks_device:
    device: "/dev/loop0"
    remove_keyfile: "/vault/keyfile2"

- name: completely remove the LUKS container and its contents
  luks_device:
    device: "/dev/loop0"
    state: "absent"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

name

string

success

When state=opened returns (generated or given) name of LUKS container. Returns None if no name is supplied.


Sample:

luks-c1da9a58-2fde-4256-9d9f-6ab008b4dd1b




Status

Authors

  • Jan Pokorny (@japokorn)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/luks_device_module.html