This role allows you to configure a encrypted filesystem on top of any given block device using dm-crypt/cryptsetup and LUKS. A random keyfile generated on the Ansible controller will be used for the encryption by default. It is your responsibility that the keyfile is kept secure for this to make sense. For example by storing the keyfile on a already encrypted filesystem (both on the Ansible controller and the remote system).

  • Create a random keyfile or use an already existing file.
  • Manage /etc/crypttab and /etc/fstab.
  • Create a LUKS header backup and store it on the Ansible controller.

The following layers are involved in configuring an encrypted filesystem using block device encryption:

  1. Ciphertext block device: This can be any block device or partition on a block device.
  2. Plaintext device mapper target: Created by dm-crypt under /etc/mapper/.
  3. Plaintext mount point of the filesystem: Where the plaintext files can be accessed.


This role requires at least Ansible v1.9.0. To install it, run:

ansible-galaxy install debops.cryptsetup