You are not logged in.

#1 2016-09-02 18:44:48

duralux
Member
Registered: 2016-01-03
Posts: 4

Mount dislocker volume on startup

Hello,

i wrote a small bash script including these two lines

#!/bin/bash

dislocker -V /dev/sda4 --user-password=XXXX -- /mnt/unlock-data
mount -o loop /mnt/unlock-data/dislocker-file /mnt/data

and I am using a systemd unit as follows

[Unit]
Description=Mount data partition

[Service]
ExecStart=/usr/local/bin/data-mount
User=root

[Install]
WantedBy=multi-user.target

The error starts already that no dislocker file is created. However, if I run the command manually everything works fine. Any ideas?

Offline

#2 2016-10-17 19:59:31

mk.maddin
Member
Registered: 2016-10-17
Posts: 2

Re: Mount dislocker volume on startup

hey,

i am trying to achieve something very similar and think I am a small step further, but still facing the same problem.

The idea is the following:
When a BitLocker encrypted volume is connected I want to unlock it (automatically or via password prompt - I think some details here that do not matter for the problem we are facing).

The solution is planned to be something like this:
1. An udev rule which triggers an systemd unit
2. A systemd unit that triggers a script
3. A script that executes the dislocker unlock.

Everything is set up and works (when all functions triggered manually) as expected.
So the udev rule applies on USB connect, the systemd unit (started via systemctl start <unit>) executes the script and the script (when run manually from bash as root), unlocks & mounts the usb drive.
Well unfortunately when all parts are put together the unlock & mount seem not to work as expected.
So what is the problem? - I investigated and found that everything works as expected - the drive is unlocked and mounted, but as soon as the script (and the systemd unit with it) ends,
the mount & the dislocker process are terminated, too.
This causes the volume not to be available and since all this happens that fast it seems (for human) that the device is not mounted at all.
As soon as there is a "sleep 60" command added at the end of the script, the unlocked & mounted drive keeps available for 60 seconds.
I think the reason is explained well here (topic: "Auto-mounting USB sticks"): http://www.volkerschatz.com/unix/advmount.html

I already tried to apply the workaround described in the link above ( adding the porcess IDs of mount & dislocker-fuse process to /sys/fs/cgroup/systemd/tasks),
unfortunately it seems I can only "detach" one of both processes.

Maybe there is somebody out there having an idea how to resolve this?
I am open for any kind of guesses or proposed solution.


For completion (and because I think it might be a part important to the solution) here the systemd unit:

[Unit]
Description=BitLocker unlock

[Service]
Type=simple
RemainAfterExit=no
User=root
ExecStart=/bin/bash unlock.sh

[Install]
WantedBy=multi-user.target

And here (very simplified version of) the script executed:

##--define working variables (hardcoded for simplification)
pass='abcd1234'
device=/dev/sdb1
bpath=/tmp/.bitlocker/sdb1
mpath=/mnt/bitlocker/sdb1

##--unlock bitlocker
dislocker-fuse -V $device -u$pass -- $bpath

##--mount the unlocked "dislocker-file"
mount $bpath/dislocker-file $mpath -o loop

##--get process ID of dislocker & detach
dPIDdev=$(ps ax -o pid,command | grep "dislocker-fuse" | grep "$device" | grep -v grep | awk '{print $1}')
echo $dPIDdev >> /sys/fs/cgroup/systemd/tasks

##--get process ID of mount & detach
mPIDdev=$(ps ax -o pid,command | grep "mount" | grep "$mpath" | grep -v grep | awk '{print $1}')
echo $mPIDdev >> /sys/fs/cgroup/systemd/tasks

Last edited by mk.maddin (2016-10-17 20:06:40)

Offline

#3 2016-11-02 19:04:06

mk.maddin
Member
Registered: 2016-10-17
Posts: 2

Re: Mount dislocker volume on startup

Hey everyone,

after some research I was able to resolve my problem.

Solution was to define in systemd unit NOT to kill subprocesses.
This can be done by adding

KillMode=process

into the unit file.

Putting all together here is a simple example how files should look like:

udev rule:

ACTION=="add", SUBSYSTEM=="block", RUN+="/bin/systemctl --no-block start unlock.service"
ACTION=="remove", SUBSYSTEM=="block", RUN+="/bin/systemctl --no-block start unlock.service"

systemd unit:

[Unit]
Description=BitLocker unlock

[Service]
Type=simple
RemainAfterExit=no
User=root
ExecStart=/bin/bash unlock.sh
KillMode=process

[Install]
WantedBy=multi-user.target

bash script:

##--define working variables (hardcoded for simplification)
pass='abcd1234'
device=/dev/sdb1
bpath=/tmp/.bitlocker/sdb1
mpath=/mnt/bitlocker/sdb1

##--unlock bitlocker
(dislocker-fuse -V $device -u$pass -- $bpath &)

##--mount the unlocked "dislocker-file"
(mount $bpath/dislocker-file $mpath -o loop )

Please not that the above configuration of the files should be just a point to start.
For your own convenience I recommend not using them on a productive system.
This solution is not secure and not efficent.

For myself I am currently in process of building some service to automatically lock & unlock devices based on some popup with help of sshpass.
Additionally you should think of a way to keep track of removed devices, too.
On my own solution I am writing some kind of "status file" keeping track of every unlocked device and check with help of "dislocker-find" if device was removed or added.

Hope this helps some other to build cool ways of bitlocker unlock on unix smile

EDIT:
Ah something I forgot.
Seems like dislocker-fuse needs some seconds to unlock your drive.
This causes "mount" command to fail sometimes (since "dislocker-file" does not exist).
simply creating a loop that checks if your dislocker-file already exists should resolve the problem.

while [ ! -f $bpath/dislocker-file ]; do
    sleep 0.5
done

Last edited by mk.maddin (2016-11-02 19:09:21)

Offline

Board footer

Powered by FluxBB