NAME

nbdkit-luks-filter - read and write LUKS-encrypted disks and partitions

SYNOPSIS

 nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

DESCRIPTION

nbdkit-luks-filter is a filter for nbdkit(1) which transparently opens a LUKS-encrypted disk image. LUKS ("Linux Unified Key Setup") is the Full Disk Encryption (FDE) system commonly used by Linux systems. This filter is compatible with LUKSv1 as implemented by the Linux kernel (dm_crypt), and by qemu.

You can place this filter on top of nbdkit-file-plugin(1) to decrypt a local file:

 nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

If LUKS is present inside a partition in the disk image then you will have to combine this filter with nbdkit-partition-filter(1). The order of the filters is important:

 nbdkit file encrypted-disk.img \
             --filter=luks passphrase=+/tmp/secret \
             --filter=partition partition=1

This filter also works on top of other plugins such as nbdkit-curl-plugin(1):

 nbdkit curl https://example.com/encrypted-disk.img \
             --filter=luks passphrase=+/tmp/secret

The web server sees only the encrypted data. Without knowing the passphrase, the web server cannot access the decrypted disk. Only encrypted data is sent over the HTTP connection. nbdkit itself will serve unencrypted disk data over the NBD connection (if this is a problem see nbdkit-tls(1), or use a Unix domain socket -U).

The passphrase can be stored in a file (as shown), passed directly on the command line (insecure), entered interactively, or passed to nbdkit over a file descriptor.

This filter can read and write LUKSv1. It cannot create disks, change passphrases, add keyslots, etc. To do that, you can use ordinary Linux tools like cryptsetup(8). Note you must force LUKSv1 (eg. using cryptsetup --type luks1). qemu-img(1) can also create compatible disk images:

 qemu-img create -f luks \
                 --object secret,data=SECRET,id=sec0 \
                 -o key-secret=sec0 \
                 encrypted-disk.img 1G

PARAMETERS

passphrase=SECRET

Use the secret passphrase when decrypting the disk.

Note that passing this on the command line is not secure on shared machines.

passphrase=-

Ask for the passphrase (interactively) when nbdkit starts up.

passphrase=+FILENAME

Read the passphrase from the named file. This is a secure method to supply a passphrase, as long as you set the permissions on the file appropriately.

passphrase=-FD

Read the passphrase from file descriptor number FD, inherited from the parent process when nbdkit starts up. This is also a secure method to supply a passphrase.

FILES

$filterdir/nbdkit-luks-filter.so

The plugin.

Use nbdkit --dump-config to find the location of $filterdir.

VERSION

nbdkit-luks-filter first appeared in nbdkit 1.32.

SEE ALSO

nbdkit-curl-plugin(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1), nbdkit-partition-filter(1), nbdkit(1), nbdkit-tls(1), nbdkit-plugin(3), cryptsetup(8), qemu-img(1).

AUTHORS

Richard W.M. Jones

COPYRIGHT

Copyright (C) 2013-2022 Red Hat Inc.

LICENSE

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.