Newb question. How do I install cryptsetup?

Yes, I’m a newb - but loving it so far. I need to mount luks encrypted volumes. How do I install cryptsetup?

Is it possible to have a build command in the dockerfile? From what I’ve read it’s difficult to implement.
I need to attach luks encrypted volumes to bind mount the _data directories. The particular container is an SSH target.

I think the problem is a bit different - my understanding of LUKS (as far as I know, please correct me) is that it would need kernel support / LUKS needs to be included in the Linux Kernel. In this case - including it into the balenaOS / Yocto Kernel. I don’t know if this is already included, otherwise you probably would need to build your own balenaOS for your usecase and enable LUKS ( I guess you can check this yourself, if its a Kernel Module BalenaOS Masterclass - Balena Documentation ). And to compile you own balenaOS - this will help balenaOS - Docs

Afterwards you probably will need to build your own LUKS enabled container with the software included in it, mount your drives into the container and then decrypt and use it.

Thank you for clarification. I thought it would be something like this.

Hi,

It looks to me like you can just install the package and things will work.
Depending on how you’ve set up your Dockerfile (which base image), simply adding something like
RUN install_packages cryptsetup or RUN apt-get update && apt-get install -y cryptsetup
before your command should work.

Just tried a quick test on a running system and seems to work.

1 Like

While I do have a Dockerfile in my local directory, the dockerfile is empty.
Which base image did you use?

Hi,

My Dockerfile starts with FROM balenalib/fincm3-openjdk:11-buster-run, which is a Debian image.

Hi,

as long as you only need to mount an external LUKS volume (e.g. an encrypted USB stick) within your application, it is possible to install cryptsetup into a privileged container and use it from there, all the necessary kernel modules should be available in balenaOS. If you are looking for a way to encrypt the host OS partitions, this is not possible at this moment but we are working towards having it as a feature.

If you could elaborate a bit more on what you are trying to achieve, we can try to find a way that works the best for you. What device are you using? Is the device running some application or is it just provisioned within balenaCloud?

Thanks

1 Like

Ok, just to update: I tried

FROM balenalib/raspberrypi4-64-buster-build
RUN install_packages cryptsetup-bin htop nmap
CMD ["bash", "start.sh"]

No luck.

@mtoman, I have some containers running Open-SSH. I have some luks encrypted usb drives that I wish to connect to the raspberry pi 4 and mount to each respective /var/lib/docker/_data directory for each SSH container. This I can do in raspbian/Ubuntu no problem.

I’m loving Balena Cloud btw. Thanks for the link @TJvV, I had no idea about the images etc. Fascinating.

You are heading the correct way.

Once you have all the packages installed, your start.sh must contain the code that unlocks and mounts the encrypted partition. A very minimalistic version of that would look something like the following:

echo -n "${LUKS_PASSPHRASE}" | cryptsetup luksOpen "${LUKS_DEVICE}" "${DM_DEVICE}" --key-file -
/etc/init.d/cryptdisks start
mkdir -p "${SECRETS_MOUNT_POINT}"
mount "/dev/mapper/${DM_DEVICE}" "${SECRETS_MOUNT_POINT}"

where you need to set:

  • LUKS_PASSPHRASE - the passphrase necessary to unlock the volume. You can hardcode this into your application or set it as environment variable in balenaCloud
  • LUKS_DEVICE - the identification of the external device, can be e.g. /dev/sda1, UUID=xxx, LABEL=yyy
  • DM_DEVICE - an artificial name for the unlocked device, if you use e.g. secrets it will become /dev/mapper/secrets
  • SECRETS_MOUNT_POINT - the directory within the container where the device should be mounted

In order to manipulate the devices, the container needs to be privileged and udev must be enabled. You mention having multiple containers so I assume you do have a docker-compose.yml file, for the container mounting you need to specify

privileged: true
environment:
  - UDEV=on

I understand that is a lot of information, please let us know if anything is unclear.

2 Likes

Thank you @mtoman for the excellent and detailed explanation. I haven’t had time to try this yet but I’ll circle back to it.

1 Like

Hello @wazzz did you have time to test this?

Let us know if we can help you more :slight_smile:

I still haven’t had time, sorry Marc. I’m pretty much just going with my own system now. The Balena cam demo kept failing and so did the Kerboros camera app. I spent a couple of days on it but it was too much at the time to fix.
My main thing is running Node-RED anyway. From there I can pretty much automate the system. Upcoming work seems to be ESP based too.

ok @wazzz looking forward to hear that everything worked well :slight_smile: