community.crypto.luks_device module – Manage encrypted (LUKS) devices
Note
This module is part of the community.crypto collection (version 2.22.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.luks_device
.
Synopsis
Module manages LUKS on given device. Supports creating, destroying, opening and closing of LUKS container and adding or removing new keys and passphrases.
Requirements
The below requirements are needed on the host that executes this module.
Parameters
Parameter |
Comments |
---|---|
Allow discards (also known as TRIM) requests for device. Will only be used when opening containers. Choices:
|
|
This option allows the user to define the cipher specification string for the LUKS container. Will only be used on container creation. For pre-2.6.10 kernels, use |
|
Device to work with (for example |
|
If set to BEWARE that when the last key has been removed from a container, the container can no longer be opened! Choices:
|
|
This option allows the user to specify the hash function used in LUKS key setup scheme and volume key digest. Will only be used on container creation. |
|
Used to unlock the container. Either a BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. |
|
Sets the key size only if LUKS container does not exist. |
|
Adds the Note that a device of |
|
Sets container name when |
|
Adds additional key to given container on NOTE that adding additional keys is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this keyfile. BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. |
|
Adds the additional Note that a device of |
|
Adds additional passphrase to given container on NOTE that adding additional passphrase is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this passphrase. |
|
Used to unlock the container. Either a |
|
This option allows the user to configure the Password-Based Key Derivation Function (PBKDF) used. Will only be used on container creation, and when adding keys to an existing container. |
|
The algorithm to use. Only available for the LUKS 2 format. Choices:
|
|
Specify the iteration count used for the PBKDF. Mutually exclusive with |
|
Specify the iteration time used for the PBKDF. Note that this is in seconds, not in milliseconds as on the command line. Mutually exclusive with |
|
The memory cost limit in kilobytes for the PBKDF. This is not used for PBKDF2, but only for the Argon PBKDFs. |
|
The parallel cost for the PBKDF. This is the number of threads that run in parallel. This is not used for PBKDF2, but only for the Argon PBKDFs. |
|
Allows the user to bypass dm-crypt internal workqueue and process read requests synchronously. Will only be used when opening containers. Choices:
|
|
Allows the user to bypass dm-crypt internal workqueue and process write requests synchronously. Will only be used when opening containers. Choices:
|
|
Allows the user to perform encryption using the same CPU that IO was submitted on. The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs. Will only be used when opening containers. Choices:
|
|
Allows the user to disable offloading writes to a separate thread after encryption. There are some situations where offloading block write IO operations from the encryption threads to a single thread degrades performance significantly. The default is to offload block write IO operations to the same thread. Will only be used when opening containers. Choices:
|
|
Allows the user to store options into container’s metadata persistently and automatically use them next time. Only Will only work with LUKS2 containers. Will only be used when opening containers. Choices:
|
|
Removes given key from the container on NOTE that removing keys is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a key which no longer exists results in an error. NOTE that to remove the last key from a LUKS container, the BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. |
|
Removes the key in the given slot on Note that a device of Note that the given |
|
Removes given passphrase from the container on NOTE that removing passphrases is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a passphrase which no longer exists results in an error. NOTE that to remove the last keyslot from a LUKS container, the |
|
This option allows the user to specify the sector size (in bytes) used for LUKS2 containers. Will only be used on container creation. |
|
Desired state of the LUKS container. Based on its value creates, destroys, opens or closes the LUKS container on a given device.
Choices:
|
|
This option allow the user explicit define the format of LUKS container that wants to work with. Options are Choices:
|
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Create LUKS container (remains unchanged if it already exists)
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
- name: Create LUKS container with a passphrase
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
passphrase: "foo"
- name: Create LUKS container with specific encryption
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
cipher: "aes"
hash: "sha256"
- name: (Create and) open the LUKS container; name it "mycrypt"
community.crypto.luks_device:
device: "/dev/loop0"
state: "opened"
name: "mycrypt"
keyfile: "/vault/keyfile"
- name: Close the existing LUKS container "mycrypt"
community.crypto.luks_device:
state: "closed"
name: "mycrypt"
- name: Make sure LUKS container exists and is closed
community.crypto.luks_device:
device: "/dev/loop0"
state: "closed"
keyfile: "/vault/keyfile"
- name: Create container if it does not exist and add new key to it
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
new_keyfile: "/vault/keyfile2"
- name: Add new key to the LUKS container (container has to exist)
community.crypto.luks_device:
device: "/dev/loop0"
keyfile: "/vault/keyfile"
new_keyfile: "/vault/keyfile2"
- name: Add new passphrase to the LUKS container
community.crypto.luks_device:
device: "/dev/loop0"
keyfile: "/vault/keyfile"
new_passphrase: "foo"
- name: Remove existing keyfile from the LUKS container
community.crypto.luks_device:
device: "/dev/loop0"
remove_keyfile: "/vault/keyfile2"
- name: Remove existing passphrase from the LUKS container
community.crypto.luks_device:
device: "/dev/loop0"
remove_passphrase: "foo"
- name: Completely remove the LUKS container and its contents
community.crypto.luks_device:
device: "/dev/loop0"
state: "absent"
- name: Create a container with label
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
label: personalLabelName
- name: Open the LUKS container based on label without device; name it "mycrypt"
community.crypto.luks_device:
label: "personalLabelName"
state: "opened"
name: "mycrypt"
keyfile: "/vault/keyfile"
- name: Close container based on UUID
community.crypto.luks_device:
uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340
state: "closed"
name: "mycrypt"
- name: Create a container using luks2 format
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
type: luks2
- name: Create a container with key in slot 4
community.crypto.luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
keyslot: 4
- name: Add a new key in slot 5
community.crypto.luks_device:
device: "/dev/loop0"
keyfile: "/vault/keyfile"
new_keyfile: "/vault/keyfile"
new_keyslot: 5
- name: Remove the key from slot 4 (given keyfile must not be slot 4)
community.crypto.luks_device:
device: "/dev/loop0"
keyfile: "/vault/keyfile"
remove_keyslot: 4
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
When Returned: success Sample: |