Default variables

Required packages

docker_base_packages

List of base packages to install with Docker

cryptsetup_base_packages:
  - 'cryptsetup'
  - 'parted'

List of encrypted filesystems

cryptsetup_devices

Global definition list of encrypted filesystems.

Example:

cryptsetup_devices:
  - name: 'sdb5_crypt'
    ciphertext_block_device: '/dev/sdb5'

Setup a encrypted filesystem on top of /dev/sdb5 which will be available after role execution under /media/sdb5_crypt.

cryptsetup_devices: []
cryptsetup_group_devices

Host group definition list of encrypted filesystems.

cryptsetup_group_devices: []
cryptsetup_host_devices

Host definition list of encrypted filesystems.

cryptsetup_host_devices: []

Keyfile settings

cryptsetup_keyfile_location

Location where keyfiles are generated and stored on the Ansible controller.

cryptsetup_keyfile_location: "{{ secret + '/cryptsetup/' + ansible_fqdn }}"
cryptsetup_keyfile_remote_location

Directory where the keyfiles will be stored in on the remote system.

cryptsetup_keyfile_remote_location: '{{ (ansible_local.root.var
                                        if (ansible_local|d() and ansible_local.root|d() and
                                            ansible_local.root.var|d())
                                        else "/var/local") + "/keyfiles" }}'
cryptsetup_keyfile_owner

System user which owns the keyfile(s).

cryptsetup_keyfile_owner: 'root'
cryptsetup_keyfile_group

System group which owns the keyfile(s).

cryptsetup_keyfile_group: 'root'
cryptsetup_keyfile_mode

File mode used for the keyfile(s).

cryptsetup_keyfile_mode: '0600'

LUKS header backup

cryptsetup_header_backup_remote_location

Directory the header backups from LUKS will be stored in on the remote system.

The LUKS header backup will be stored in this file on the Ansible controller:

{{ cryptsetup_header_backup_remote_location + "/" + item.name + "_header_backup.raw" }}
cryptsetup_header_backup_remote_location: '{{ (ansible_local.root.backup
                                              if (ansible_local|d() and ansible_local.root|d() and
                                                  ansible_local.root.backup|d())
                                              else "/var/backups") + "/luks_header_backup" }}'
cryptsetup_header_backup

Should a header backup be created?

Note

The LUKS header is only stored once in the beginning of your block device. When the header gets corrupted, the plaintext data might be inaccessible! Thus it is recommended to have a header backup on hand.

Set to False to disable header backup creation.

cryptsetup_header_backup: True

Ciphertext block device options

cryptsetup_use_uuid

Use the UUID of the ciphertext block device in /etc/crypttab instead of the file path given by ciphertext_block_device.

cryptsetup_use_uuid: True

Filesystem options

cryptsetup_fstype

Default filesystem to create and configure in /etc/fstab.

cryptsetup_fstype: 'ext4'
cryptsetup_mount_options

List of default mount options. Multiple options can be separated by comma.

cryptsetup_mount_options: 'user,auto,noatime,nodiratime'
cryptsetup_state

Default state for all devices. Can be overwritten for each device using item.state.

cryptsetup_state: 'mounted'
cryptsetup_mountpoint_parent_directory

Parent directory under which all encrypted filesystems will be mounted.

cryptsetup_mountpoint_parent_directory: '/media'

Cryptography defaults

cryptsetup_crypttab_options

Default list of options to configure for each device in /etc/crypttab. Can be overwritten by item.crypttab_options. Multiple options can be separated by comma. See crypttab(5) for details.

cryptsetup_crypttab_options: 'luks'
cryptsetup_hash

Specifies the hash used in the LUKS key setup scheme and volume key digest for luksFormat. Corresponds with the --hash parameter.

The current default of cryptsetup (as shown by cryptsetup --help) is sha1. Set to default to use the compiled-in default of cryptsetup.

Refs: https://security.stackexchange.com/a/40218

cryptsetup_hash: 'sha512'
cryptsetup_cipher

Set the cipher specification string. Corresponds with the --cipher parameter.

The current default of cryptsetup (as shown by cryptsetup --help) is aes-xts-plain64. Set to default to use the compiled-in default of cryptsetup.

cryptsetup_cipher: 'default'
cryptsetup_key_size

Sets key size in bits. The argument has to be a multiple of 8. The possible key-sizes are limited by the cipher and mode used. Corresponds with the --key-size parameter.

The current default of cryptsetup (as shown by cryptsetup --help) is 256. Set to default to use the compiled-in default of cryptsetup.

Note that in XTS mode, only half of the key size specified here will be used for the block cypher (512 will result in AES-256). Using AES-128 is still considered secure and will probably be faster. The reason to go with a different default value then the compiled-in default of cryptsetup was to have long-term secure storage even with quantum-computing available.

Refs: https://crypto.stackexchange.com/a/7869

cryptsetup_key_size: 512
cryptsetup_use_random

Should /dev/random be used to generate the LUKS master key? Corresponds with the --use-random and --use-urandom parameter.

The current default of cryptsetup (as shown by cryptsetup --help) is /dev/urandom. Set to default to use the compiled-in default of cryptsetup.

Check random(4) for details.

cryptsetup_use_random: True
cryptsetup_iter_time

The number of milliseconds to spend with PBKDF2 passphrase processing. Corresponds with the --iter-time parameter.

The current default of cryptsetup (as shown by cryptsetup --help) is 1000 milliseconds. Set to default to use the compiled-in default of cryptsetup.

cryptsetup_iter_time: 'default'