debops.cryptsetup allows you to configure encrypted filesystems on top of
any given block device using dm-crypt/cryptsetup and LUKS. A random
keyfile generated on the Ansible controller will be used for the encryption by
default. It is your responsibility that the keyfile is kept secure for this to
make sense. For example by storing the keyfile on an already encrypted
filesystem (both on the Ansible controller and the remote system).
- Create a random keyfile or use an already existing keyfile.
- Manage
/etc/crypttaband/etc/fstaband mount point directories. - Create a LUKS header backup and store it on the Ansible controller.
- Decrypt and mount an encrypted filesystem and never store any key material on persistent storage on the remote system. You might need to take care of your Swap space yourself for this!
- Setup an encrypted swap space (with random key or with persistent key).
- Setup filesystems using a random key on boot.
cryptsetupplain, LUKS, TrueCrypt and VeraCrypt mode.- Multiple ciphers and corresponding keys chained to encrypt one filesystem.
This role requires at least Ansible v2.2.3. To install it, run:
ansible-galaxy install debops.cryptsetupMore information about debops.cryptsetup can be found in the
official debops.cryptsetup documentation.
debops.secret
You may need to include missing roles from the DebOps common playbook into your playbook.
Try DebOps now for a complete solution to run your Debian-based infrastructure.
- Robin Schneider (maintainer) | e-mail | GitHub
License: GPL-3.0
This role is part of DebOps. README generated by ansigenome.