luks

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultKeyFilePath = "/etc/luks/keyfile"

DefaultKeyFilePath is the standard path for LUKS key files in initramfs.

Variables

This section is empty.

Functions

func GenerateCrypttab 

func GenerateCrypttab(targets []Target, method UnlockMethod) string

GenerateCrypttab creates /etc/crypttab content for the provisioned OS.

func MappedPath 

func MappedPath(mappedName string) string

MappedPath returns the /dev/mapper path for a mapped LUKS volume.

Types

type Commander 

type Commander interface {
	executil.Commander
	RunWithInput(ctx context.Context, input, name string, args ...string) ([]byte, error)
}

Commander abstracts command execution for easier unit testing. Extends executil.Commander with stdin support required by cryptsetup.

type Config 

type Config struct {
	Enabled      bool         `json:"enabled"`
	Partitions   []Target     `json:"partitions"`
	UnlockMethod UnlockMethod `json:"unlockMethod"`
	Passphrase   string       `json:"-"`
	TangURL      string       `json:"tangUrl,omitempty"` // Phase 2: tang server URL for clevis enrollment
	TPMPCRs      []int        `json:"tpmPcrs,omitempty"` // Phase 2: PCR values for TPM2 enrollment
	Cipher       string       `json:"cipher,omitempty"`
	KeySize      int          `json:"keySize,omitempty"`
	Hash         string       `json:"hash,omitempty"`
}

Config holds LUKS encryption configuration.

type ExecCommander 

type ExecCommander struct {
	executil.ExecCommander
}

ExecCommander executes real system commands with sanitized error output.

func (*ExecCommander) RunWithInput 

func (e *ExecCommander) RunWithInput(ctx context.Context, input, name string, args ...string) ([]byte, error)

RunWithInput executes a command with stdin input.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager handles LUKS encryption operations.

func New 

func New(log *slog.Logger) *Manager

New creates a LUKS encryption manager.

func NewWithCommander 

func NewWithCommander(log *slog.Logger, cmd Commander) *Manager

NewWithCommander creates a manager with a custom commander for tests.

func (*Manager) Close 

func (m *Manager) Close(ctx context.Context, mappedName string) error

Close unmaps a LUKS volume.

func (*Manager) Format 

func (m *Manager) Format(ctx context.Context, target *Target, cfg *Config) error

Format creates a LUKS2 volume on the target device.

func (*Manager) IsLUKS 

func (m *Manager) IsLUKS(ctx context.Context, device string) bool

IsLUKS checks if a device contains a LUKS header.

func (*Manager) IsLUKSWithError 

func (m *Manager) IsLUKSWithError(ctx context.Context, device string) (bool, error)

IsLUKSWithError checks if a device contains a LUKS header and returns errors.

func (*Manager) Open 

func (m *Manager) Open(ctx context.Context, target *Target, passphrase string) error

Open maps a LUKS volume to /dev/mapper/<name>.

type Target 

type Target struct {
	Device     string `json:"device"`
	MappedName string `json:"mappedName"`
}

Target identifies a partition to encrypt.

type UnlockMethod 

type UnlockMethod string

UnlockMethod specifies how LUKS volumes auto-unlock on boot. 

const (
	// UnlockPassphrase requires manual passphrase entry at boot.
	UnlockPassphrase UnlockMethod = "passphrase"
	// UnlockTPM2 binds the key to TPM2 PCR values.
	UnlockTPM2 UnlockMethod = "tpm2"
	// UnlockClevis uses network-bound decryption via tang server.
	UnlockClevis UnlockMethod = "clevis"
	// UnlockKeyFile uses a key file embedded in the initramfs.
	UnlockKeyFile UnlockMethod = "keyfile"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.