Automatically setting up encrypted partitions with Ansible [closed]

Question

I am looking for a way to set encrypted partitions with Ansible automatically on Ubuntu/Debian Linux servers.

• Assume a computer with an existing root filling up the whole disk

• Chop a piece out of this partition and make a new partition out of it

• Encrypt the partition using LUKS or Truecrypt

• Taking passphrase as input for the playbook

I am very new to Ansible, so if anyone could point me direction where to start (existing disk partition roles, encrypted disk roles and such). Can I drive fdisk with Ansible? How to make sure the role doesn't try to create the partition twice (when provisioning is run again).

Answer 1

Writing an Ansible role which does this is not as easy as it might seem when you want to do it right (e.g. idempotent and be robust). I know that because I just wrote/rewrote one :)

https://docs.debops.org/en/master/ansible/roles/cryptsetup/index.html

It is able to handle 2 of your 3 wanted features:

• Encrypt the partition using LUKS or Truecrypt
• Taking passphrase as input for the playbook. I did take a different path using keyfiles which did better fit my use case. Passphrases might be supported in the future. For now you can just write the passphrase to a file and specify that as keyfile.

I decided against including support to create partitions to the role itself to keep complexity down.

Answer 2

While I haven't personally wrote any playbooks to accomplish what you are trying to do, here are some resources which may be of help:

There are couple Ansible modules you can use to manage partitions:

lvol - Configure LVM logical volumes

lvg - Configure LVM volume groups

There maybe some more system modules that are useful to you found here

There isn't an ansible module specifically for fdisk, but you should still be able to run fdisk commands using the command or shell modules. If you go this route, you will have to figure out how to make it idempotent on your own.

If you're looking for roles, I would normally recommend Ansible Galaxy, but on a quick search, I was unable to find any roles there with relevance to what you are trying to do.

There are no Ansible modules I'm aware of specifically for using LUKS or Truecrypt, but you should still be able to run those tasks using the command or shell modules.

I was able to find a decent example of disk encryption in this playbook. The playbook handles the passphrase by passing it in as a variable. There are several ways you can approach handling variables in playbooks. I would recommend reading the Ansible docs on variables. If you are storing passwords as variables, you can also encrypt your variable files using Ansible Vault.