Storage encryption through LUKS
Project description
pyluks
pyluks is a python package for storage encryption through LUKS, wrapping the functionalities provided by the cryptsetup command line tool.
The pyluks package is structured in three subpackages:
- fastluks contains the
deviceclass which can be used to encrypt, access and manage storage devices. fastluks is based on the bash script fast-luks. - luksctl can be used to manage encrypted devices. It is based on the python package luksctl.
- luksctl_api is an API to check the status of encrypted volumes and open them if needed. It is based on the python package luksctl_api.
Installation
Currently, Ubuntu and CentOS are supported.
To setup a virtual environment and install pyluks on CentOS run:
yum install -y python3
python3 -m venv venv
. venv/bin/activate
pip install --upgrade pip
pip install pyluks
To do the same on Ubuntu:
apt-get update
apt-get install -y python3 python3-pip python3-venv
python3 -m venv venv
. venv/bin/activate
pip install --upgrade pip
pip install pyluks
Usage
Each subpackage functionalities can be accessed thorugh a command line tool.
fastluks
To perform encryption and volume setup with default parameters, the fastluks command can be used inside the virtual environment:
fastluks --device /dev/vdb
The encryption passphrase can be stored locally and/or on Hashicorp Vault.
- To store the passphrase locally (this is usually done for testing purposes):
fastluks --device /dev/vdb --save-passphrase-locally
- To store the passphrase on Vault, the flag
--vaultmust be used with the required arguments specified:
fastluks --device /dev/vdb --vault --vault-url url --wrapping-token token --secret-path path --user-key key
luksctl
In order to manage a volume encrypted with fastluks, the command luksctl can be used from the command line:
# Display volume status
luksctl status
# Open encrypted volume
luksctl open
# Close encrypted volume
luksctl close
luksctl_api
In order to setup the API, the command luksctl_api can be used indicating the type of computing node on which the API is installed and its options, for example:
# Install the API on a single virtual machine, using a self signed certificate
luksctl_api --ssl --user luksctl_api
# Install the API on the master node of a cluster (nfs is used to share the encrypted volume data) using a self signed certificate
luksctl_api --daemons nfs-server --ssl
By default, the API service is run by the user luksctl_api, which should have the permission to run the luksctl command. Also, the user should have the permissions to run systemctl start and systemctl stop for the daemons specified. To run the API under a different user specify the --user argument.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyluks-0.0.2.tar.gz.
File metadata
- Download URL: pyluks-0.0.2.tar.gz
- Upload date:
- Size: 32.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cfa1bbfa6f9d1cbd6a56d169228a821439f59cd26159f36456b0e41272d57a9e |
|
| MD5 | 40b5c7f5da9407399e9aa2f0875582bf |
|
| BLAKE2b-256 | c0b8b36b9337ee280404e1894c72d903a56dbe2d90e060a7836a0bbd1277c523 |
File details
Details for the file pyluks-0.0.2-py3-none-any.whl.
File metadata
- Download URL: pyluks-0.0.2-py3-none-any.whl
- Upload date:
- Size: 36.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 45f3fab9aae8f55b8e9bb257db82d2e6cab1b91dff820cb962d58a790e188210 |
|
| MD5 | e8191b4d3b26bdc6530f09ac820f7f65 |
|
| BLAKE2b-256 | 9da2385e599e472241fcafa2a4a5d673997656fab4cabc8bb7e18058de3255de |
