Default variables: configuration

Some of debops.cryptsetup variables have more extensive configuration. Here you can find documentation and examples for them.


Note the following list only documents the common parameters. The role allows you to use more specific parameters which are not documented below.

Required, string. Name of the plaintext device mapper target and the mount point. Must be unique among all device mapper targets and should not be changed once it was used.
Required, string. File path to the ciphertext block device, either the block device itself e.g. /dev/sdb or a partition on the block device e.g. /dev/sdb5.
Optional, string. List of options to configure for each device in /etc/crypttab. Overwrites the default as configured by cryptsetup_crypttab_options variable.

Optional, string. File path for the keyfile on the Ansible controller. Will be copied over to the remote system. If it does not exist yet it will be generated from /dev/random on the Ansible controller as it is expected that the entropy pool on the Ansible controller is better mixed. Defaults to:

{{ cryptsetup_keyfile_location + "/" + + "/keyfile.raw" }}
Optional, string. Disable backing up the LUKS header to the Ansible controller for this item. See cryptsetup_keyfile_location variable.
Optional, string. Filesystem type to create on the plaintext device mapper target. Defaults to cryptsetup_fstype variable.

Optional, string. Plaintext mount point of the filesystem. Defaults to:

{{ cryptsetup_mountpoint_parent_directory + "/" + }}
Optional, string. Mount options associated with the filesystem. For more details see mount(8).

Optional, string. There are four states which can be chosen for each encrypted filesystem. If no state is given, the value of cryptsetup_state will be used which defaults to mounted.

Ensure that the encryption and filesystem layer are in place on the block device and the filesystem is mounted.
Ensure that the encryption and filesystem layer are in place on the block device and the filesystem is unmounted. Additionally ensures that the cryptsetup mapping is removed so that no direct access to the plain-text block device is possible.
Ensure that the encryption and filesystem layer are in place on the block device. The plaintext device mapper target will be created as needed during the Ansible run to ensure the filesystem on it is present. When it was not available prior to this Ansible run, it will be stopped at the end of the role run again. So basically, this option never changes the mounted/unmounted state of the plaintext device mapper target or the plaintext mount point of the filesystem. Note that this option will not fail when the ciphertext block device is not available during the Ansible run and the keyfile has not been generated by Ansible. This was done to allow to provision remote systems with keys for ciphertext block devices which have been setup previously and are not available during execution of this role.
Same as unmounted but additionally removes all configuration, the keyfile and the header backup from the remote system for this item.


Create an encrypted LUKS device using an existing partition. Device will be mounted at /media/crypt0 and will be automatically mounted at boot:

  - name: 'crypt0'
    ciphertext_block_device: '/dev/sdb1'