2024-12-12 15:31, Daniel P. Berrangé пишет:
On Thu, Dec 12, 2024 at 11:27:35AM +0000, Richard W.M. Jones wrote:
> On Thu, Dec 12, 2024 at 03:10:15PM +0400, Denys Ostapenko wrote:
>>>> I found it's surprisingly hard to access VeraCrypt partition inside
>>>> VHD file.
>>>
>>> I'm not sure what VeraCrypt is, but I don't think we have support
for
>>> it in libguestfs, which is going to be a problem. Unless kernel /
>>> cryptsetup knows about it somehow.
>>
>> VeraCrypt is a TrueCrypt fork (disk-encryption software),
>> open-source and cross-platform.
>>
>>> On Thu, Dec 12, 2024 at 02:45:48AM +0400, Denys Ostapenko wrote:
>>>> Is it possible to expose raw partition from libguestfs (and
>>>> guestfish) as a mapper device? Like cryptsetup-open <partition>
>>>> <mapper>, but without password and decryption at all.
>>>
>>> I'm not sure what you mean by this. Do you mean, expose the encrypted
>>> device as a block device on the host? (ie. guestmount)
>>
>> I have file.vhd and /dev/sda1 partition (VeraCrypt encrypted)
>> inside. This partition is raw; guestfish can not recognize it,
>> because without password VeraCrypt partition is indistinguishable
>> from random. In Windows, out-of-the-box VHD mount tool creates
>> device like \Device\Harddisk2\Partition1, so I can mount it in
>> VeraCrypt. I have not found a way to ask guestfish/libguestfs to
>> expose such raw partition from inside VHD as host block device.
>
> Doesn't doing this work?
>
> $ guestmount [--ro] -a guest.img -m /dev/sda1 /var/tmp/some_mountpoint
>
> It's not a host block device, but near enough. It'll also be quite
> slow because it's using FUSE.
>
> If VeraCrypt can be taught how to access an NBD endpoint instead of
> needing POSIX APIs, then you could do something with qemu-nbd &
> nbdkit, although it's a little clunky because of the nested partition
> and because qemu-nbd removed support for the '-P' option.
Can you just combine qemu-nbd with kpartx to setup devmapper
nodes for each partition:
qemu-nbd -c /dev/nbd0 guest.img
kpartx -a /dev/nbd0
will give you /dev/mapper/nbd0p1 which you can then access
with whatever you need for VeraCrypt on a host blockdev
Thank you very much, qemu-nbd works
sudo apt install nbd-client -y
sudo modprobe nbd
sudo qemu-nbd --read-only --connect=/dev/nbd0 /media/disk/file.vhd
sudo kpartx -a /dev/nbd0
sudo mkdir /media/file-vhd
sudo veracrypt -m=nokernelcrypto /dev/nbd0p1 /media/file-vhd
Option -m=nokernelcrypto is required, without it VeraCrypt outputs
Error: device-mapper: reload ioctl on veracrypt1 failed: Device or
resource busy
Looks like there is already VeraCrypt support in cryptsetup,
--type=tcrypt-veracrypt, is there some way to pass this option through
guestfish?
Is it worth to be added in FAQ?