diff options
| author | Tomas Volf <wolf@wolfsden.cz> | 2024-01-11 18:35:39 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2024-01-14 23:00:03 +0100 |
| commit | d082312ef7adfea69c79d30ef947817b39832161 (patch) | |
| tree | d588cc3cda334c2c08cf08fe311255a5aa56841b /doc | |
| parent | db43edaa0a7eaa0064224b31fbce07469ebeb93e (diff) | |
mapped-devices: Allow unlocking by a key file.
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.
Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/guix.texi | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 811edd0bf7..c216d1b4a6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Foundation Devices, Inc.@* Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* +Copyright @copyright{} 2023 Tomas Volf@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -17992,6 +17993,30 @@ command from the package with the same name. It relies on the @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. This has an advantage of not requiring a password entry, so +it can be used (for example) to unlock RAID arrays automatically on +boot. If key file unlock fails, password unlock is attempted as well. +Key file is not stored in the store and needs to be available at the +given location at the time of the unlock attempt. + +@lisp +;; Following definition would be equivalent to running: +;; cryptsetup open --key-file /crypto.key /dev/sdb1 data +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:key-file "/crypto.key"))) +@end lisp +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel |