Storage encryption through LUKS
Project description
pyluks
pyluks is a python package for storage encryption through LUKS, wrapping the functionalities provided by the cryptsetup command line tool.
The pyluks package is structured in three subpackages:
- fastluks contains the
device
class which can be used to encrypt, access and manage storage devices. fastluks is based on the bash script fast-luks. - luksctl can be used to manage encrypted devices. It is based on the python package luksctl.
- luksctl_api is an API to check the status of encrypted volumes and open them if needed. It is based on the python package luksctl_api.
Installation
Currently, Ubuntu and CentOS are supported.
To setup a virtual environment and install pyluks on CentOS run:
yum install -y python3
python3 -m venv venv
. venv/bin/activate
pip install --upgrade pip
pip install pyluks
To do the same on Ubuntu:
apt-get update
apt-get install -y python3 python3-pip python3-venv
python3 -m venv venv
. venv/bin/activate
pip install --upgrade pip
pip install pyluks
Usage
Each subpackage functionalities can be accessed thorugh a command line tool.
fastluks
To perform encryption and volume setup with default parameters, the fastluks
command can be used inside the virtual environment:
fastluks
The encryption passphrase can be stored locally and/or on Hashicorp Vault.
- To store the passphrase locally (this is usually done for testing purposes):
fastluks --save-passphrase-locally
- To store the passphrase on Vault, the flag
--vault
must be used with the required arguments specified:
fastluks --vault --vault-url url --wrapping-token token --secret-path path --user-key key
luksctl
In order to manage a volume encrypted with fastluks, the command luksctl
can be used from the command line:
# Display volume status
luksctl status
# Open encrypted volume
luksctl open
# Close encrypted volume
luksctl close
luksctl_api
In order to setup the API, the command luksctl_api
can be used indicating the type of computing node on which the API is installed and its options, for example:
# Install the API on a single virtual machine, using a self signed certificate
luksctl_api master --infrastructure_config single_vm --ssl --user luksctl_api
# Install the API on the master node of a cloud using a self signed certificate
luksctl_api master --infrastructure_config cluster --ssl --node-list wn1 wn2 wn3
# Install the API on a computing node
luksctl_api wn --nfs-mountpoint-list /export
By default, the API service is run by the user luksctl_api
, which should have the permission to run the luksctl
command. To run the API under a different user specify the --user
argument.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.