oracular (1) nbdkit-luks-filter.1.gz

Provided by: nbdkit_1.40.4-1ubuntu1_amd64 bug

NAME

       nbdkit-luks-filter - read and write LUKS-encrypted disks and partitions

SYNOPSIS

        nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

DESCRIPTION

       "nbdkit-luks-filter" is a filter for nbdkit(1) which transparently opens a LUKS-encrypted disk image.
       LUKS ("Linux Unified Key Setup") is the Full Disk Encryption (FDE) system commonly used by Linux systems.
       This filter is compatible with LUKSv1 as implemented by the Linux kernel (dm_crypt), and by qemu.

       You can place this filter on top of nbdkit-file-plugin(1) to decrypt a local file:

        nbdkit file encrypted-disk.img --filter=luks passphrase=+/tmp/secret

       If LUKS is present inside a partition in the disk image then you will have to combine this filter with
       nbdkit-partition-filter(1).  The order of the filters is important:

        nbdkit file encrypted-disk.img \
                    --filter=luks passphrase=+/tmp/secret \
                    --filter=partition partition=1

       This filter also works on top of other plugins such as nbdkit-curl-plugin(1):

        nbdkit curl https://example.com/encrypted-disk.img \
                    --filter=luks passphrase=+/tmp/secret

       The web server sees only the encrypted data.  Without knowing the passphrase, the web server cannot
       access the decrypted disk.  Only encrypted data is sent over the HTTP connection.  nbdkit itself will
       serve unencrypted disk data over the NBD connection (if this is a problem see nbdkit-tls(1), or use a
       Unix domain socket -U).

       The passphrase can be stored in a file (as shown), passed directly on the command line (insecure),
       entered interactively, or passed to nbdkit over a file descriptor.

       This filter can read and write LUKSv1.  It cannot create disks, change passphrases, add keyslots, etc.
       To do that, you can use ordinary Linux tools like cryptsetup(8).  Note you must force LUKSv1 (eg. using
       cryptsetup --type luks1).  qemu-img(1) can also create compatible disk images:

        qemu-img create -f luks \
                        --object secret,data=SECRET,id=sec0 \
                        -o key-secret=sec0 \
                        encrypted-disk.img 1G

PARAMETERS

       passphrase=SECRET
           Use the secret passphrase when decrypting the disk.

           Note that passing this on the command line is not secure on shared machines.

       passphrase=-
           Ask for the passphrase (interactively) when nbdkit starts up.

       passphrase=+FILENAME
           Read the passphrase from the named file.  This is a secure method to supply a passphrase, as long as
           you set the permissions on the file appropriately.

       passphrase=-FD
           Read the passphrase from file descriptor number "FD", inherited from the parent process when nbdkit
           starts up.  This is also a secure method to supply a passphrase.

FILES

       $filterdir/nbdkit-luks-filter.so
           The plugin.

           Use "nbdkit --dump-config" to find the location of $filterdir.

VERSION

       "nbdkit-luks-filter" first appeared in nbdkit 1.32.

SEE ALSO

       nbdkit-curl-plugin(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1), nbdkit-partition-filter(1), nbdkit(1),
       nbdkit-tls(1), nbdkit-plugin(3), cryptsetup(8), qemu-img(1).

AUTHORS

       Richard W.M. Jones

       Copyright Red Hat

LICENSE

       Redistribution and use in source and binary forms, with or without modification, are permitted provided
       that the following conditions are met:

       •   Redistributions of source code must retain the above copyright notice, this list of conditions and
           the following disclaimer.

       •   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
           the following disclaimer in the documentation and/or other materials provided with the distribution.

       •   Neither the name of Red Hat nor the names of its contributors may be used to endorse or promote
           products derived from this software without specific prior written permission.

       THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
       INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
       PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
       DAMAGE.