On Thu, Dec 12, 2024 at 03:10:15PM +0400, Denys Ostapenko wrote:
>>I found it's surprisingly hard to access VeraCrypt
partition inside
>>VHD file.
>
>I'm not sure what VeraCrypt is, but I don't think we have support for
>it in libguestfs, which is going to be a problem. Unless kernel /
>cryptsetup knows about it somehow.
VeraCrypt is a TrueCrypt fork (disk-encryption software),
open-source and cross-platform.
>On Thu, Dec 12, 2024 at 02:45:48AM +0400, Denys Ostapenko wrote:
>>Is it possible to expose raw partition from libguestfs (and
>>guestfish) as a mapper device? Like cryptsetup-open <partition>
>><mapper>, but without password and decryption at all.
>
>I'm not sure what you mean by this. Do you mean, expose the encrypted
>device as a block device on the host? (ie. guestmount)
I have file.vhd and /dev/sda1 partition (VeraCrypt encrypted)
inside. This partition is raw; guestfish can not recognize it,
because without password VeraCrypt partition is indistinguishable
from random. In Windows, out-of-the-box VHD mount tool creates
device like \Device\Harddisk2\Partition1, so I can mount it in
VeraCrypt. I have not found a way to ask guestfish/libguestfs to
expose such raw partition from inside VHD as host block device.
Doesn't doing this work?
$ guestmount [--ro] -a guest.img -m /dev/sda1 /var/tmp/some_mountpoint
It's not a host block device, but near enough. It'll also be quite
slow because it's using FUSE.
If VeraCrypt can be taught how to access an NBD endpoint instead of
needing POSIX APIs, then you could do something with qemu-nbd &
nbdkit, although it's a little clunky because of the nested partition
and because qemu-nbd removed support for the '-P' option.
It could look like:
guestfs_loopback_partition(g, "/dev/sda1", "file-vhd-sda1-mapper");
// Creates /dev/mapper/file-vhd-sda1-mapper
or even
guestfs_loopback_disk(g, "file-vhd-mapper");
instead of
guestfs_mount(g, "/dev/sda1", "/media/file-vhd-sda1");
VeraCrypt on Linux by itself creates /dev/mapper/veracrypt1
decrypted block device from encrypted partition or file, and does
not depend on filesystem inside. I wonder if there is similar
approach in libguestfs to not depend on
encryption/filesystem/filesystem integrity inside a virtual disk
partition. Also, dmsetup allows to create a single block device from
a few ranges of bytes of device or file, encrypted or not.
I think the best idea is probably to add VeraCrypt support to
libguestfs, but that's some work that I don't have time for that myself.
My current workaround is to expose partition from non-fragmented VHD
file (which is dd copy of disk with 512-byte footer) to block device
by losetup/dmsetup, and then mount it by VeraCrypt. Fragmented VHDs
are not working this way.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html