NAME
nbdkit-luks-filter - read and write LUKS-encrypted disks and partitions
SYNOPSIS
nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret
DESCRIPTION
"nbdkit-luks-filter" is a filter for nbdkit(1) which transparently opens a LUKS-encrypted disk image. LUKS ("Linux Unified Key Setup") is the Full Disk Encryption (FDE) system commonly used by Linux systems. This filter is compatible with LUKSv1 as implemented by the Linux kernel (dm_crypt), and by qemu.
You can place this filter on top of nbdkit-file-plugin(1) to decrypt a local file:
nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret
If LUKS is present inside a partition in the disk image then you will have to combine this filter with nbdkit-partition-filter(1). The order of the filters is important:
nbdkit file
encrypted-disk.img \
--filter=luks passphrase=+/tmp/secret \
--filter=partition partition=1
This filter also works on top of other plugins such as nbdkit-curl-plugin(1):
nbdkit curl
https://example.com/encrypted-disk.img \
--filter=luks passphrase=+/tmp/secret
The web server sees only the encrypted data. Without knowing the passphrase, the web server cannot access the decrypted disk. Only encrypted data is sent over the HTTP connection. nbdkit itself will serve unencrypted disk data over the NBD connection (if this is a problem see nbdkit-tls(1), or use a Unix domain socket -U).
The passphrase can be stored in a file (as shown), passed directly on the command line (insecure), entered interactively, or passed to nbdkit over a file descriptor.
This filter can read and write LUKSv1. It cannot create disks, change passphrases, add keyslots, etc. To do that, you can use ordinary Linux tools like cryptsetup(8). Note you must force LUKSv1 (eg. using cryptsetup --type luks1). qemu-img(1) can also create compatible disk images:
qemu-img create
-f luks \
--object secret,data=SECRET,id=sec0 \
-o key-secret=sec0 \
encrypted-disk.img 1G
PARAMETERS
passphrase=SECRET
Use the secret passphrase when decrypting the disk.
Note that passing this on the command line is not secure on shared machines.
passphrase=-
Ask for the passphrase (interactively) when nbdkit starts up.
passphrase=+FILENAME
Read the passphrase from the named file. This is a secure method to supply a passphrase, as long as you set the permissions on the file appropriately.
passphrase=-FD
Read the passphrase from file descriptor number "FD", inherited from the parent process when nbdkit starts up. This is also a secure method to supply a passphrase.
FILES
$filterdir/nbdkit-luks-filter.so
The plugin.
Use "nbdkit --dump-config" to find the location of $filterdir.
VERSION
"nbdkit-luks-filter" first appeared in nbdkit 1.32.
SEE ALSO
nbdkit-curl-plugin(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1), nbdkit-partition-filter(1), nbdkit(1), nbdkit-tls(1), nbdkit-plugin(3), cryptsetup(8), qemu-img(1).
AUTHORS
Richard W.M. Jones
COPYRIGHT
Copyright Red Hat
LICENSE
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
• |
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. | ||
• |
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. | ||
• |
Neither the name of Red Hat nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ’’AS IS’’ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.