arver 0.1.5 → 0.1.9

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: eeb29f1cdc8ba4b8fd5a05791fe282f1a016440253f0b3591c95e30f573343f5
+  data.tar.gz: d41505b368abe1d3aa20c3fdf0ed13c3e382aadeb18e9b000778f156279dce0d
+SHA512:
+  metadata.gz: f63236b680841a83333b3fce1c6a6c379e0a35820554f016821f1aff3998011c844655a883cd5f0514481b20618490aec95d005f320cfa57472b9f95585c73ff
+  data.tar.gz: 5734e53e093a97465751ae5e9cd95cee18f9565337ea94208f7eea9448c7a32f79b53aa1f92a8e82f0ac4a88127ca13fd91ca6e9838f5b7aaa284a4b05ea8e91

data/CHANGELOG.textile

@@ -1,3 +1,11 @@
+=== 0.1.9 2022-01-29
+
+* Add a new --open-systemd to support opening disks at startup. This mode is compatible with systemd-ask-password which is used to open disks in the initrd.
+
+=== 0.1.7 2018-09-01
+
+* Updated gems to work with 2.5.1
+
 === 0.1.4 2012-07-24
 
 * Introducing the --refresh action to renew the luks key. You should always run this command, when receiving a new permission.

data/README.textile

@@ -46,7 +46,6 @@ contains an arver package we recommend installation by your package manager.
 The following ruby gems are required for arver:
 
 * gpgme 2
-* activesupport 2
 * escape
 * highline
 
@@ -68,6 +67,10 @@ h1. Limitations
 
 h2. Known Issues
 
+It is strongly advised not to set any 'encrypt-to' option in your gnupgp.conf.
+Otherwise, when you issue a key to another person, you can still decrypt it
+yourself, since gpg always encrypts it to this additional recipient.
+
 h3. GPGME and gpg-agent
 
 If arver asks you multiple times for the password, you might consider to use

data/lib/arver/action.rb

@@ -54,7 +54,11 @@ module Arver
     end
 
     def load_key( partition )
-      self.key= keystore.luks_key( partition )
+      if Arver::RuntimeConfig.instance.global_key_path
+        self.key= keystore.luks_key_for_path( Arver::RuntimeConfig.instance.global_key_path )
+      else
+        self.key= keystore.luks_key( partition )
+      end
 
       if( key.nil? )
         Arver::Log.error( "No permission on #{partition.path}. Skipping." )

data/lib/arver/bootstrap.rb

@@ -7,7 +7,7 @@ class Arver::Bootstrap
       
       return true if options[:action] == :init
 
-      unless local.username.present?
+      if "#{local.username}".empty?
         Arver::Log.error( "No user defined" )
         return false
       end
@@ -32,6 +32,7 @@ class Arver::Bootstrap
       rtc.violence = options[:violence]
       rtc.test_mode = options[:test_mode]
       rtc.trust_all = options[:trust_all]
+      rtc.global_key_path = options[:global_key_path]
     end  
   end
 end

data/lib/arver/cli.rb

@@ -34,6 +34,8 @@ module Arver
                 "Show this help message.") { Arver::Log.write opts; return }
         opts.on("--ask-password",
                 "Ask for an existing LUKS password when adding a new user.") { options[:ask_password] = true }
+        opts.on("--set-key KEYNAME", String,
+                "Manuall choose a key to use. The KEYNAME is in the format /LOCATION/MACHINE/DISK.") { |arg| options[:global_key_path] = arg }
         opts.on("-t", "--trust-all",
                 "Use untrusted GPG Keys.") { options[:trust_all] = true }
         opts.on("--force",
@@ -57,6 +59,8 @@ module Arver
         opts.separator "Actions:"
         opts.on_tail( "-o TARGET", "--open TARGET", String,
                 "Open target." ) { |arg| options[:argument][:target] = arg; options[:action] = :open; }
+        opts.on_tail( "--systemd-open TARGET", String,
+                "Open target during boot via systemd-asskpasswd." ) { |arg| options[:argument][:target] = arg; options[:action] = :systemd_open; }
         opts.on_tail( "-c TARGET", "--close TARGET", String,
                 "Close target." ) { |arg| options[:argument][:target] = arg; options[:action] = :close; }
         opts.on_tail( "--create TARGET", String,
@@ -75,6 +79,8 @@ module Arver
                 "LUKS info about a target.") { |arg| options[:argument][:target] = arg; options[:action] = :info; }
         opts.on_tail( "-l", "--list-targets",
                 "List targets." ) { options[:action] = :list; }
+        opts.on_tail( "--dump-key TARGET", String,
+                "Dump raw luks passphrase." ) { |arg| options[:argument][:target] = arg; options[:action] = :dump; }
         opts.on_tail( "--init",
                 "Setup a sample configuration." ) { options[:action] = :init; }
         
@@ -114,6 +120,7 @@ module Arver
         :gc => Arver::GCAction,
         :create => Arver::CreateAction,
         :open => Arver::OpenAction,
+        :systemd_open => Arver::SystemdOpenAction,
         :close => Arver::CloseAction,
         :adduser => Arver::AdduserAction,
         :deluser => Arver::DeluserAction,
@@ -121,6 +128,7 @@ module Arver
         :key_info => Arver::KeyInfoAction,
         :init => Arver::InitialConfigAction,
         :refresh => Arver::RefreshAction,
+        :dump => Arver::DumpKeyAction,
       }
 
       action = (actions[ action ]).new( target_list )

data/lib/arver/command_wrapper.rb

@@ -1,8 +1,7 @@
 module Arver
   class CommandWrapper
-
     attr_accessor :command, :arguments_array, :return_value, :output
-  
+
     def self.create( cmd, args = [] )
       c = CommandWrapper.new
       c.command= cmd
@@ -10,8 +9,12 @@ module Arver
       c
     end
 
-    # copy from shellwords.rb
     def shellescape(str)
+      CommandWrapper.shellescape(str)
+    end
+
+    # copy from shellwords.rb
+    def self.shellescape(str)
       str = str.to_s
 
       # An empty argument will be skipped, so return empty quotes.

data/lib/arver/config.rb

@@ -15,17 +15,22 @@ module Arver
     end
     
     def load
-      if( ! File.exists?( path ) )
-        Arver::Log.error( "config-dir "+path+" does not exist" )
-        exit
+      if !File.directory?(path)
+        Arver::Log.error("config "+path+" does not exist")
+        exit 1
       end
-      @users= ( load_file( File.join(path,'users') ) )
+      @users = load_file(File.join(path,'users')) || {}
+
       tree.clear
-      tree.from_hash( load_file( File.join(path,'disks') ) )
+      tree.from_hash(load_file(File.join(path,'disks')))
     end
     
     def load_file( filename )
-      YAML.load( File.read(filename) ) if File.exists?( filename )
+      if !File.exists?(filename)
+        Arver::Log.error("missing config #{filename}")
+        exit 1
+      end
+      YAML.load(File.read(filename))
     end
     
     def save
@@ -35,7 +40,7 @@ module Arver
     end
     
     def exists?( user )
-      ! users[user].nil?
+      !users[user].nil?
     end
 
     def gpg_key user
@@ -45,6 +50,13 @@ module Arver
     def slot user
       users[user]['slot'] if exists?(user)
     end
+
+    def user_at(slot)
+      users.each do |name, conf|
+        return name if slot == conf['slot']
+      end
+      'unknown'
+    end
     
     def == other
       return tree == other.tree && users == other.users if other.is_a?(Arver::Config)

data/lib/arver/dump_key_action.rb

@@ -0,0 +1,29 @@
+module Arver
+  class DumpKeyAction < Action
+    def initialize(target_list)
+      super(target_list)
+      self.open_keystore
+    end
+
+    def verify?(partition)
+      load_key(partition)
+    end
+
+    def execute_partition( partition )
+      Arver::Log.info("key for #{partition.path}:")
+      Arver::Log.info(key)
+    end
+
+    def pre_host( host )
+    end
+
+    def pre_partition( partition )
+    end
+
+    def post_partition( partition )
+    end
+
+    def post_host( host )
+    end
+  end
+end

data/lib/arver/host.rb

@@ -2,7 +2,7 @@ module Arver
   class Host
     
     attr_accessor :port, :username
-    attr_writer :address
+    attr_writer :address, :boot_address
     
     include Arver::PartitionHierarchyNode
     include Arver::NodeWithScriptHooks
@@ -25,21 +25,33 @@ module Arver
       self.name
     end
 
+    def boot_address
+      return @boot_address unless @boot_address.nil?
+      address
+    end
+
     def port
       return @port unless @port.nil?
       '22'
     end
 
     def username
-      return @username unless @username.nil?
-      'root'
+      case @username 
+        when nil
+          'root'
+        when '#arveruser'
+          Arver::LocalConfig.instance.username
+        else 
+          @username
+      end
     end
     
     def to_yaml
       yaml = ""
-      yaml += "'address': '"+address+"'\n" unless @address.nil?
-      yaml += "'port': '"+port+"'\n" unless @port.nil?
-      yaml += "'username': '"+username+"'\n" unless @username.nil?
+      yaml += "'address': '"+@address+"'\n" unless @address.nil?
+      yaml += "'boot_address': '"+@boot_address+"'\n" unless @boot_address.nil?
+      yaml += "'port': '"+@port+"'\n" unless @port.nil?
+      yaml += "'username': '"+@username+"'\n" unless @username.nil?
       yaml += script_hooks_to_yaml
       yaml += super
     end
@@ -55,6 +67,10 @@ module Arver
           self.address = data
           next
         end
+        if( name == "boot_address" )
+          self.boot_address = data
+          next
+        end
         if( name == "username" )
           self.username= data
           next

data/lib/arver/info_action.rb

@@ -3,6 +3,7 @@ module Arver
     def initialize( target_list )
       super( target_list )
       self.open_keystore
+      Arver::Log.info("Warning: existence of a keyslot is not a guarantee that the user can access it")
     end
 
     def pre_host( host )
@@ -10,13 +11,44 @@ module Arver
     end
 
     def execute_partition(partition)
-      info = {}
-      (caller = Arver::LuksWrapper.dump(partition)).execute
-      caller.output.each_line do |line|
-        next unless line =~ /^[A-Z].*: .*$/
-        info.store(*line.split(':',2).collect{|f| f.strip })
+      cmd = Arver::LuksWrapper.dump(partition)
+      cmd.execute
+      info = cmd.output
+      info =~ /Version:[\s]+(\d)/
+      version = $1
+      slots = []
+
+      head = " #{sprintf("%0-10s",partition.name[0...10])} :"+
+             " #{sprintf("%0-30s",partition.device_path[0...30])}"
+
+      if version != '1' && version != '2'
+        Arver::Log.info("#{head} : Unsupported luks version")
+        return
+      end
+
+      if version == '1'
+        info.each_line do |line|
+          if line =~ /Key Slot (\d): ENABLED/
+            slots << Integer($1)
+          end
+        end
+      else
+        keyslots = []
+        start = false
+        info.each_line do |line|
+          if line =~ /Keyslots:/
+            start = true
+            next
+          end
+          next unless start
+          break unless line =~ /^\s/
+          if line =~ /[\s]+(\d): luks2/
+            slots << Integer($1)
+          end
+        end
       end
-      Arver::Log.info("  #{sprintf("%0-20s",partition.name.first(20))}:  #{sprintf("%0-40s",partition.device_path.first(40))}: Slots: #{(0..7).map{|i| info["Key Slot #{i}"] == 'ENABLED' ? 'X' : '_'}.join}; LUKSv#{info['Version']}; Cypher: #{info['Cipher name']}:#{info['Cipher mode']}:#{info['Hash spec']}; UUID=#{info['UUID']}")
+      slots = slots.map{|s| "#{Config.instance.user_at(s)}(#{s})"}.join(",")
+      Arver::Log.info("#{head} : #{slots}")
     end
   end
 end

data/lib/arver/key_generator.rb

@@ -1,3 +1,5 @@
+require 'securerandom'
+
 module Arver
   class KeyGenerator
     def initialize
@@ -5,7 +7,7 @@ module Arver
     end
     
     def generate_key( partition )
-      key = ActiveSupport::SecureRandom.base64(192)
+      key = SecureRandom.base64(192)
       @keys[partition] = key
     end
     

data/lib/arver/key_saver.rb

@@ -1,3 +1,5 @@
+require 'securerandom'
+
 module Arver
   class KeySaver
     
@@ -37,6 +39,7 @@ module Arver
       #compress the key before applying padding, so the size after encryption+compression by gpg is more stable...
       key = deflate(key)
       unless GPGKeyManager.check_key_of( user )
+        Arver::Log.error( "Error no key for #{user}" )
         return
       end
       gpg_key = GPGKeyManager.key_of( user )
@@ -115,19 +118,19 @@ module Arver
     end
 
     def self.add_padding( key )
-      marker = "--"+ActiveSupport::SecureRandom.base64( 82 )
+      marker = "--"+SecureRandom.base64( 82 )
       size = 200000
       padding_size = size - key.size
       if padding_size <= 0
         padding_size = 0
         Arver::Log.warn( "Warning: Your arver keys exceed the maximal padding size, therefore i can no longer disguise how many keys you possess.")
       end
-      padding = ActiveSupport::SecureRandom.base64( padding_size )[0..padding_size]
+      padding = SecureRandom.base64( padding_size )[0..padding_size]
       marker +"\n"+ key + "\n" + marker + "\n" + padding
     end
     
     def self.substract_padding( key )
-      if( key.starts_with? '--- ' )
+      if key[0...4] == "--- "
         Arver::Log.warn( "Warning: you are using deprecated unpadded keyfiles. Please run garbage collect!" )
         return key
       end

data/lib/arver/keystore.rb

@@ -15,23 +15,23 @@ module Arver
       end
     end
           
-    attr_accessor :username, :loaded
+    attr_reader :username, :loaded
         
     def initialize( name )
       @keys = {}
       @key_versions = {}
-      self.username= name
-      self.loaded = false
+      @username = name
+      @loaded = false
     end
     
     def load
       flush_keys
-      KeySaver.read( self.username ).each do | loaded |
+      KeySaver.read(username).each do | loaded |
         YAML.load( loaded ).each do | target, key |
           load_luks_key(target,key)
         end
       end
-      self.loaded = true
+      @loaded = true
     end
     
     def save
@@ -51,9 +51,13 @@ module Arver
     end
   
     def luks_key(partition)
-      @keys[partition.path][:key] unless ! @keys[partition.path]
+      luks_key_for_path(partition.path)
     end
     
+    def luks_key_for_path(path)
+      @keys[path][:key] unless ! @keys[path]
+    end
+
     def load_luks_key(partition, new_key)
       if( new_key.kind_of? Hash )
         if( ! @keys[partition] || @keys[partition][:time] <= new_key[:time] )

data/lib/arver/partition_hierarchy_node.rb

@@ -1,5 +1,3 @@
-require 'active_support/core_ext'
-
 module Arver
   module PartitionHierarchyNode
         
@@ -72,7 +70,7 @@ module Arver
     def find( name )
       found = []
       self.each_node do | node |
-        found += [ node ] if ( node.name == name || node.path.ends_with?( name ) )
+        found += [ node ] if (node.name == name || node.path =~ /#{name}$/)
       end
       found
     end

data/lib/arver/runtime_config.rb

@@ -5,7 +5,7 @@ module Arver
     
     include Singleton
 
-    attr_accessor :test_mode, :dry_run, :force, :violence, :ask_password, :trust_all
+    attr_accessor :test_mode, :dry_run, :force, :violence, :ask_password, :trust_all, :global_key_path
     
     instance.test_mode= false
     instance.dry_run= false

data/lib/arver/ssh_command_wrapper.rb

@@ -1,20 +1,29 @@
 module Arver
   class SSHCommandWrapper < CommandWrapper
-    
-    attr_accessor :host, :user, :port, :as_root
-    
-    def self.create( cmd, args, host, as_root = false )
+    attr_accessor :host, :user, :port, :as_root, :on_boot
+
+    def self.create( cmd, args, host, as_root = false, on_boot = false)
       c = SSHCommandWrapper.new
       c.host= host
       c.as_root= as_root
       c.command= cmd
       c.arguments_array= args
+      c.on_boot = on_boot
       c
     end
-    
+
     def escaped_command
-      sudo = if as_root && host.username != "root" then "sudo" else "" end
-      "ssh -p #{shellescape(host.port)} #{shellescape(host.username)}@#{shellescape(host.address)} #{sudo} #{super}" 
+      addr = (on_boot ? host.boot_address : nil) || host.address
+      user = on_boot ? 'root' : host.username
+      port = on_boot ? '22' : host.port
+      sudo = if as_root && on_boot && host.username != "root" then "sudo" else "" end
+      "ssh -p #{shellescape(port)} #{shellescape(user)}@#{shellescape(addr)} #{sudo} #{super}" 
+    end
+
+    def self.is_system_running?(partition)
+      wr = Arver::SSHCommandWrapper.create("systemctl", ["is-system-running"], partition.parent, true, true)
+      wr.execute
+      wr.success? && !['initializing','starting'].include?(wr.output.chomp)
     end
   end
 end

data/lib/arver/systemd_open_action.rb

@@ -0,0 +1,83 @@
+require 'tmpdir'
+
+module Arver
+  class SystemdOpenAction < Action
+    def initialize( target_list )
+      super( target_list )
+      self.open_keystore
+    end
+
+    def verify?( partition )
+      if(Arver::SSHCommandWrapper.is_system_running?(partition))
+        Arver::Log.error( "#{partition.parent.name} already up. Use normal open, skipping." )
+        return false
+      end
+      return false unless load_key( partition )
+      true
+    end
+
+    def get_socket(host, partid)
+      # Check which partitions are waiting for a password
+      # see https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
+      files_exec = Arver::SSHCommandWrapper.create("ls", ["/run/systemd/ask-password/ask.*"], host, true, true)
+      files_exec.execute
+      files = files_exec.output.split("\n")
+
+      # Find the socket for the partition we want to open
+      files.each do |f|
+        f_exec = Arver::SSHCommandWrapper.create("cat", [f], host, true, true)
+        f_exec.execute
+        ask_file = f_exec.output
+        if ask_file =~ /#{partid}/
+          ask_file =~ /Socket=(.*)/
+          return $1
+        end
+      end
+      nil
+    end
+
+    def execute_partition( partition )
+      Arver::Log.info( "opening: "+partition.path )
+      socket = nil
+      partid = nil
+      host = partition.parent
+
+      # Find the uuid of this partition
+      partid_exec = Arver::SSHCommandWrapper.create("blkid", ["/dev/#{partition.device}"], host, true, true)
+      partid_exec.execute
+      partid = partid_exec.output.chomp.gsub(/.* UUID=\"([^"]+)\" .*/,'\1')
+      unless partid =~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
+        puts "Could not get uuid of disk"
+        throw( :abort_action )
+      end
+
+      socket = get_socket(host, partid)
+      if socket.nil?
+        puts "Disk is not waiting to be opened"
+        throw( :abort_action )
+      end
+
+      # Upload password-agent binary and supply password to the correct socket
+      binary = File.join(ROOT_DIR, "vendor", "password-agent")
+      unless File.exists?(binary)
+        puts "This gem is missing the native password-agent binary"
+        throw( :abort_action )
+      end
+      # This is an epic hack to have a binary with exec permission
+      # initrd does not have chmod, so we copy an existing binary and override it
+      r = Arver::SSHCommandWrapper.create("cp", ["/bin/true", "/run/password-agent"], host, true, true).execute
+      r = Arver::SSHCommandWrapper.create("cat", ["- > /run/password-agent"], host, true, true)
+      r.execute(File.read(binary))
+      unless r.success?
+        puts "Could not upload password-agent"
+        throw( :abort_action )
+      end
+
+      # Pass password
+      a = Arver::SSHCommandWrapper.create("/run/password-agent", [socket], host, true, true)
+      a.execute(key)
+
+      # Cannot check if it worked, since if it did, the server rebooted
+    end
+  end
+end

data/lib/arver/test_config_loader.rb

@@ -16,6 +16,7 @@ module TestConfigLoader
   def load_test_config
     Arver::LocalConfig.instance.config_dir= "spec/data"
     Arver::LocalConfig.instance.username= "test"
+    Arver::RuntimeConfig.instance.trust_all = true
     config = Arver::Config.instance
     config.load
   end

data/lib/arver/version.rb

@@ -1,3 +1,3 @@
 module Arver
-  VERSION = '0.1.5'
+  VERSION = '0.1.9'
 end

data/lib/arver.rb

@@ -1,6 +1,7 @@
-%w{singleton yaml fileutils rubygems active_support/secure_random highline/import gpgme openssl zlib}.each {|f| require f }
+%w{singleton yaml fileutils rubygems highline/import gpgme openssl zlib}.each {|f| require f }
 $:.unshift(File.dirname(__FILE__)) unless
   $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
  
-%w{ gpg_key_manager luks_wrapper action initial_config_action refresh_action create_action list_action gc_action adduser_action deluser_action info_action close_action open_action target_list command_wrapper ssh_command_wrapper log_levels io_logger log string bootstrap local_config config test_config_loader node_with_script_hooks partition_hierarchy_node host hostgroup tree partition test_partition key_generator key_saver keystore runtime_config key_info_action}.each {|f| require "arver/#{f}" }
+%w{ gpg_key_manager luks_wrapper action initial_config_action refresh_action create_action list_action gc_action adduser_action deluser_action info_action close_action open_action systemd_open_action target_list command_wrapper ssh_command_wrapper log_levels io_logger log string bootstrap local_config config test_config_loader node_with_script_hooks partition_hierarchy_node host hostgroup tree partition test_partition key_generator key_saver keystore runtime_config key_info_action dump_key_action }.each {|f| require "arver/#{f}" }
 
+ROOT_DIR = File.expand_path('../..',__FILE__)

data/man/arver.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ARVER" "5" "July 2012" "" ""
+.TH "ARVER" "5" "January 2022" "" ""
 .
 .SH "NAME"
 \fBarver\fR \- LUKS on the loose
@@ -46,6 +46,10 @@ Creates LUKS partitions for \fBarver\fR on all targeted disks\.
 Opens all targeted disks\.
 .
 .TP
+\fB\-\-systemd\-open TARGET\fR
+Same as above, but supplying password to systemd ask\-password, used during system startup\.
+.
+.TP
 \fB\-\-close TARGET\fR
 Closes all targeted disks\.
 .
@@ -193,15 +197,16 @@ The \fBdisks\fR file contains the following hash tree in yaml notation:
      \'disk2\'   :
        \'device\'   :  \'sdb1\'
    \'host2\':
-     \'address\': \'host2\.example\.com\'
-     \'port\'   : \'2222\'
-     \'mails\'  :
+     \'address\' : \'host2\.example\.com\'
+     \'port\'    : \'2222\'
+     \'username\': \'hans\'
+     \'mails\'   :
        \'device\'  : \'nonraid/mails\'
        \'pre_open\': \'pre_open_disk_script\.sh\'
  \'hostgroup2\':
    \'host3\':
      \'address\' : \'host3\.example\.com\'
-     \'username\': \'foo\'
+     \'username\': \'#arveruser\'
      \'secure\'  :
        \'device\'  : \'storage/secure\'
 .
@@ -235,6 +240,19 @@ will present you the tree of the various targets in your \fBdisks\fR configurati
 \fBhost1\fR, \fBhost2\fR and \fBhost3\fR are identifiers for different hosts\. These host\- objects can contain multiple disks and can have further information such as the \fBaddress\fR of the host or the ssh\-\fBport\fR number if the ssh daemon is not running on the standart port\.
 .
 .P
+\fBusername\fR defines the ssh login\-user\. By default it is \fBroot\fR\. To always use the same username as arver (as defined by \fB\-u\fR or in \fB\.arver\fR) set the username to \fB#arveruser\fR\. If the user is not \fBroot\fR, the actual LUKS commands will be executed via \fBsudo\fR and you need the following entry in your sudoers file on this machine (assuming the user is in the admin group):
+.
+.IP "" 4
+.
+.nf
+
+%admin ALL=NOPASSWD: /usr/bin/test, /sbin/cryptsetup
+.
+.fi
+.
+.IP "" 0
+.
+.P
 You can also add script hooks to any host or disk\. Those will be run during the \fBopen\fR and \fBclose\fR actions at the appropriate time\. The possible options are: \fBpre_open\fR, \fBpre_close\fR, \fBpost_open\fR and \fBpost_close\fR\.
 .
 .P
@@ -313,6 +331,22 @@ Those scripts have to be present at the actual host\.
 .P
 If you don\'t have a key for any of the disks that you wish to open it will be skipped (along with its script hooks)\.
 .
+.P
+Arver can also open a disk that is waiting for a password by systemd\-ask\-password\. Typically this is happening during startup of a physical system, e\.g\., within the initrd\. For that there is a special mode called:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-systemd\-open TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Note, due to the provided api by systemd, there is unfortunately no indication if the command suceeded\. Typically unlocking the last pending disk automatically continues booting the server\. In case the inird ssh has a differen hostname or address than the acutal system, there is an optional \fBboot_address\fR config in the disks configuration, to override the default one\. This mode expects ssh to be on port 22 and user root\.
+.
 .SH "Action Close"
 Closing luks devices is simply done by invoking
 .
@@ -436,6 +470,32 @@ $ arver \-g
 .P
 If you use a version controll system to store your \fBarverdata\fR you should do this always before commiting the \fBarverdata\fR\.
 .
+.SH "Migrating keys"
+If you want to move a disk to a different server or a server to a different location, there is currently no nice way of doing this\. You can however apply the following workaround, after you moved/renamed a disk in the config file:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-set\-key /OLD_LOCATION/OLD_MACHINE/OLD_NAME \-\-refresh NEW_NAME
+.
+.fi
+.
+.IP "" 0
+.
+.P
+For example after moving \fBa_disk\fR from \fBa_server\fR at \fBa_location\fR to \fBsome_server\fR at \fBsome_location\fR in the config, you can restore your access with:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-set\-key /a_location/a_server/a_disk \-\-refresh /some_location/some_server/a_disk
+.
+.fi
+.
+.IP "" 0
+.
 .SH "SEE ALSO"
 \fBcryptsetup\fR(8)\. \fBgnupg\fR(7)\.
 .

metadata

@@ -1,122 +1,98 @@
 --- !ruby/object:Gem::Specification
 name: arver
 version: !ruby/object:Gem::Version
-  version: 0.1.5
-  prerelease: 
+  version: 0.1.9
 platform: ruby
 authors:
 - o
 - andreas
 - mh
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-07-25 00:00:00.000000000 Z
+date: 2022-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - <
-      - !ruby/object:Gem::Version
-        version: 3.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - <
-      - !ruby/object:Gem::Version
-        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.6.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.6.2
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.10.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.5.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.5.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.9.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.9.2
-description: Arver helps you to manage a large amount of crypted devices easily and
-  safe amongst a certain amount of members
+description: Arver helps you to share access to LUKS devices easily and safely in
+  a team
 email: arver@lists.immerda.ch
 executables:
 - arver
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.textile
+- README.textile
+- bin/arver
 - lib/arver.rb
 - lib/arver/action.rb
 - lib/arver/adduser_action.rb
@@ -127,6 +103,7 @@ files:
 - lib/arver/config.rb
 - lib/arver/create_action.rb
 - lib/arver/deluser_action.rb
+- lib/arver/dump_key_action.rb
 - lib/arver/gc_action.rb
 - lib/arver/gpg_key_manager.rb
 - lib/arver/host.rb
@@ -151,40 +128,34 @@ files:
 - lib/arver/runtime_config.rb
 - lib/arver/ssh_command_wrapper.rb
 - lib/arver/string.rb
+- lib/arver/systemd_open_action.rb
 - lib/arver/target_list.rb
 - lib/arver/test_config_loader.rb
 - lib/arver/test_partition.rb
 - lib/arver/tree.rb
 - lib/arver/version.rb
-- README.textile
-- CHANGELOG.textile
 - man/arver.5
-- bin/arver
-homepage: https://github.com/arver/arver
+- vendor/password-agent
+homepage: https://code.immerda.ch/immerda/apps/arver
 licenses: []
-post_install_message: 
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
-      segments:
-      - 0
-      hash: 947642704890013429
+      version: '2.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubyforge_project: ! '[none]'
-rubygems_version: 1.8.24
-signing_key: 
-specification_version: 3
-summary: Open crypted devices automatically
+rubygems_version: 3.1.2
+signing_key:
+specification_version: 4
+summary: LUKS for groups
 test_files: []