This guide walks you through setting up encrypted data volumes for runtime use.
- cryptpilot-crypt installed on your system
- A block device or partition to encrypt (e.g.,
/dev/nvme1n1p1) - The device should be unmounted and not in use
In this example, we will create encrypted volumes with different configurations. You'll need an empty disk (e.g., /dev/nvme1n1) for this example.
Create a GPT partition table with one primary partition:
parted --script /dev/nvme1n1 \
mktable gpt \
mkpart part1 0% 100%Create a configuration file at /etc/cryptpilot/volumes/data0.toml:
mkdir -p /etc/cryptpilot/volumes
cat << EOF > /etc/cryptpilot/volumes/data0.toml
volume = "data0"
dev = "/dev/nvme1n1p1"
auto_open = true
makefs = "ext4"
integrity = true
[encrypt.otp]
EOFConfiguration Explanation:
volume = "data0": Volume name (will create/dev/mapper/data0)dev = "/dev/nvme1n1p1": Underlying block deviceauto_open = true: Automatically open at bootmakefs = "ext4": Create ext4 filesystem on first initializationintegrity = true: Enable dm-integrity for data authenticity[encrypt.otp]: Use One-Time Password (data is volatile)
Warning
This volume will be encrypted with One-Time Password, which means the data on it is volatile and will be lost after closing. The volume will be automatically opened during system startup.
Validate the configuration:
cryptpilot-crypt config check --keep-checkingOpen (decrypt) the volume:
cryptpilot-crypt open data0This will initialize the volume on first run (format with LUKS2, create filesystem, set up dm-integrity if enabled).
Verify the volume is opened:
cryptpilot-crypt showExample output:
╭────────┬───────────────────┬─────────────────┬──────────────┬──────────────────┬───────────────╮
│ Volume ┆ Volume Path ┆ Underlay Device ┆ Key Provider ┆ Extra Options ┆ Status │
╞════════╪═══════════════════╪═════════════════╪══════════════╪══════════════════╪═══════════════╡
│ data0 ┆ /dev/mapper/data0 ┆ /dev/nvme1n1p1 ┆ otp ┆ auto_open = true ┆ ReadyToOpen │
│ ┆ ┆ ┆ ┆ makefs = "ext4" ┆ │
│ ┆ ┆ ┆ ┆ integrity = true ┆ │
╰────────┴───────────────────┴─────────────────┴──────────────┴──────────────────┴───────────────╯
Mount the volume and start using it:
mkdir -p /mnt/data0
mount /dev/mapper/data0 /mnt/data0Now you can read and write files in /mnt/data0.
If you want to automatically open the volume during system startup:
-
Ensure
auto_open = trueis set in the volume configuration (already done in Step 2) -
Enable the systemd service:
systemctl enable --now cryptpilot.serviceThe volume will now be automatically opened at boot.
When done, unmount and close:
umount /mnt/data0
cryptpilot-crypt close data0Warning
With OTP provider, closing the volume will permanently erase all data! OTP is for temporary/scratch storage only.
For production workloads, use Key Broker Service with remote attestation:
cat << EOF > /etc/cryptpilot/volumes/data1.toml
volume = "data1"
dev = "/dev/nvme1n1p2"
auto_open = true
makefs = "ext4"
integrity = true
[encrypt.kbs]
url = "https://kbs.example.com"
resource_path = "/secrets/data1-key"
EOF
cryptpilot-crypt open data1
mount /dev/mapper/data1 /mnt/data1For Alibaba Cloud users:
cat << EOF > /etc/cryptpilot/volumes/data2.toml
volume = "data2"
dev = "/dev/nvme1n1p3"
auto_open = true
makefs = "xfs"
[encrypt.kms]
kms_instance_id = "kst-****"
client_key_id = "LTAI****"
client_key_password_from_kms = "alias/ClientKey_****"
EOF
cryptpilot-crypt open data2
mount /dev/mapper/data2 /mnt/data2You can configure multiple volumes:
# Temporary storage (OTP)
cat > /etc/cryptpilot/volumes/scratch.toml << EOF
volume = "scratch"
dev = "/dev/nvme1n1p1"
auto_open = true
makefs = "ext4"
[encrypt.otp]
EOF
# Persistent data (KBS)
cat > /etc/cryptpilot/volumes/data.toml << EOF
volume = "data"
dev = "/dev/nvme1n1p2"
auto_open = true
makefs = "ext4"
integrity = true
[encrypt.kbs]
url = "https://kbs.example.com"
resource_path = "/secrets/data-key"
EOF
# Enable auto-open
systemctl enable --now cryptpilot.serviceCreate an encrypted swap partition:
cat > /etc/cryptpilot/volumes/swap.toml << EOF
volume = "swap"
dev = "/dev/nvme1n1p4"
auto_open = true
makefs = "swap"
[encrypt.otp]
EOF
cryptpilot-crypt open swap
swapon /dev/mapper/swap
echo "/dev/mapper/swap none swap defaults 0 0" >> /etc/fstabIf config check reports errors:
cryptpilot-crypt config check --keep-checkingCommon issues:
- Missing required fields (
volume,dev,encrypt) - Invalid device path
- Invalid key provider configuration
If cryptpilot-crypt init fails:
- Check device exists:
ls -l /dev/nvme1n1p1 - Check device is not in use:
lsblk,mount | grep nvme1n1p1 - Check permissions: Run with sufficient privileges
- Check key provider: Ensure provider is reachable (KBS/KMS)
If cryptpilot-crypt open fails:
- Check volume is initialized:
cryptpilot-crypt show - Check key provider: Verify network/attestation is working
- Check device: Ensure underlying device is available
- Check logs:
journalctl -u cryptpilot.service
If volumes don't open at boot:
- Check service is enabled:
systemctl status cryptpilot.service - Check auto_open setting: Verify
auto_open = truein config - Check service logs:
journalctl -u cryptpilot.service - Check network: For remote providers (KBS/KMS), ensure network is up
- Configuration Guide - Detailed configuration options
- Systemd Service - Auto-open volumes at boot
- Key Providers - Key provider configuration details