Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sammcj/puppet-luks

Puppet module for managing LUKS encrypted volumes
https://github.com/sammcj/puppet-luks

encryption encryption-tool luks puppet secret

Last synced: 18 days ago
JSON representation

Puppet module for managing LUKS encrypted volumes

Host: GitHub
URL: https://github.com/sammcj/puppet-luks
Owner: sammcj
License: other
Archived: true
Created: 2016-11-23T23:17:28.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2022-08-17T02:08:44.000Z (over 2 years ago)
Last Synced: 2024-09-21T09:32:05.848Z (5 months ago)
Topics: encryption, encryption-tool, luks, puppet, secret
Language: Puppet
Size: 25.4 KB
Stars: 3
Watchers: 3
Forks: 5
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# luks

## Description

Puppet module for managing LUKS encrypted volumes

[![Code Climate](https://codeclimate.com/github/codeclimate/codeclimate/badges/gpa.svg)](https://codeclimate.com/github/sammcj/puppet-luks)

## Setup

### Beginning with LUKS

This is a very basic module for configuring encrypted volumes using LUKS on Linux.

## Usage

The following creates a LUKS device at `/dev/mapper/secretdata`, backed by
the partition at `/dev/sdb1`, encrypted with the value of `$secret_key`:

```puppet
include ::luks

secret_key = hiera('luks_secret')

luks::device { 'secretdata':
device => '/dev/sdb1',
key => $secret_key,
remove_catalog => true,
}
```

The secret key should come from somewhere encrypted such as [hiera-eyaml](https://github.com/voxpupuli/hiera-eyaml).

## Reference

### Parameters

#### `device`
The hardware device to back LUKS with -- any existing data will be
lost when formatted as a LUKS device!

#### `key`
The encryption key for the LUKS device.

#### `force_format`
Instructs LuksFormat to run in 'batchmode' which esentially forces the block device
to be formatted, use with care.

#### `base64`
Set to true if the key is base64-encoded (necessary for encryption keys
with binary data).

Defaults to false.

#### `mapper`
The name to use in `/dev/mapper` for the device.

Defaults to the name to the name of the resource, i.e. `/dev/mapper/secretdata`

## Limitations

- At the time of writing this, it has been tested against CentOS 7.2
- The key change functionality only _adds_ new keys, the original key(s) remain in other key slots. It is highly recommended
to monitor for key slot usage and manually remove redundant keys as required.
- **Warning**: The secret key (encrypted with the node certificate)
will still be cached by Puppet in the compiled catalog - _unless_ you use a null
[catalog_cache_terminus](https://docs.puppet.com/puppet/latest/configuration.html#catalogcacheterminus) to prevent this happening.
Examples: [https://github.com/dylanratcliffe/no_cached_catalogs](https://github.com/dylanratcliffe/no_cached_catalogs) and
[https://github.com/ross-w/secretresource](https://github.com/ross-w/secretresource)

## Development/Release Notes/Contributors/Etc.

Please feel free to submit issues, and merge requests or generally contribute to this module.

- [Official LUKS website](https://guardianproject.info/code/luks/)
- [Module on Puppet Forge](https://forge.puppet.com/sammcj/luks/readme)