NAME

       nbdkit-luks-filter - read and write LUKS-encrypted disks and partitions

SYNOPSIS

        nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

DESCRIPTION

       "nbdkit-luks-filter" is a filter for nbdkit(1) which transparently opens a LUKS-encrypted
       disk image.  LUKS ("Linux Unified Key Setup") is the Full Disk Encryption (FDE) system
       commonly used by Linux systems.  This filter is compatible with LUKSv1 as implemented by
       the Linux kernel (dm_crypt), and by qemu.

       You can place this filter on top of nbdkit-file-plugin(1) to decrypt a local file:

        nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

       If LUKS is present inside a partition in the disk image then you will have to combine this
       filter with nbdkit-partition-filter(1).  The order of the filters is important:

        nbdkit file encrypted-disk.img \
                    --filter=luks passphrase=+/tmp/secret \
                    --filter=partition partition=1

       This filter also works on top of other plugins such as nbdkit-curl-plugin(1):

        nbdkit curl https://example.com/encrypted-disk.img \
                    --filter=luks passphrase=+/tmp/secret

       The web server sees only the encrypted data.  Without knowing the passphrase, the web
       server cannot access the decrypted disk.  Only encrypted data is sent over the HTTP
       connection.  nbdkit itself will serve unencrypted disk data over the NBD connection (if
       this is a problem see nbdkit-tls(1), or use a Unix domain socket -U).

       The passphrase can be stored in a file (as shown), passed directly on the command line
       (insecure), entered interactively, or passed to nbdkit over a file descriptor.

       This filter can read and write LUKSv1.  It cannot create disks, change passphrases, add
       keyslots, etc.  To do that, you can use ordinary Linux tools like cryptsetup(8).  Note you
       must force LUKSv1 (eg. using cryptsetup --type luks1).  qemu-img(1) can also create
       compatible disk images:

        qemu-img create -f luks \
                        --object secret,data=SECRET,id=sec0 \
                        -o key-secret=sec0 \
                        encrypted-disk.img 1G

PARAMETERS

       passphrase=SECRET
           Use the secret passphrase when decrypting the disk.

           Note that passing this on the command line is not secure on shared machines.

       passphrase=-
           Ask for the passphrase (interactively) when nbdkit starts up.

       passphrase=+FILENAME
           Read the passphrase from the named file.  This is a secure method to supply a
           passphrase, as long as you set the permissions on the file appropriately.

       passphrase=-FD
           Read the passphrase from file descriptor number "FD", inherited from the parent
           process when nbdkit starts up.  This is also a secure method to supply a passphrase.

FILES

       $filterdir/nbdkit-luks-filter.so
           The plugin.

           Use "nbdkit --dump-config" to find the location of $filterdir.

VERSION

       "nbdkit-luks-filter" first appeared in nbdkit 1.32.

SEE ALSO

       nbdkit-curl-plugin(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1),
       nbdkit-partition-filter(1), nbdkit(1), nbdkit-tls(1), nbdkit-plugin(3), cryptsetup(8),
       qemu-img(1).

AUTHORS

       Richard W.M. Jones

COPYRIGHT

       Copyright (C) 2013-2022 Red Hat Inc.

LICENSE

       Redistribution and use in source and binary forms, with or without modification, are
       permitted provided that the following conditions are met:

       •   Redistributions of source code must retain the above copyright notice, this list of
           conditions and the following disclaimer.

       •   Redistributions in binary form must reproduce the above copyright notice, this list of
           conditions and the following disclaimer in the documentation and/or other materials
           provided with the distribution.

       •   Neither the name of Red Hat nor the names of its contributors may be used to endorse
           or promote products derived from this software without specific prior written
           permission.

       THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED
       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
       FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS
       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
       DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
       OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
       LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
       POSSIBILITY OF SUCH DAMAGE.