Categories
SysOps

How to display current mappings for encrypted devices

Display current mappings for encrypted devices (LUKS) .

List block devices

Use lsblk list mode to display encrypted devices.

$ lsblk --list | awk '$6 == "TYPE" || $6 == "crypt" {print}' 
NAME                                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda4_crypt                                253:0    0 445,9G  0 crypt 
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a 253:3    0   1,8T  0 crypt /media/milosz/5a7dd0ba-8137-4416-82dd-fc4bcf982ec9

Use lsblk tree-like format, which is a default mode to display encrypted volumes.

$ lsblk --tree /dev/mapper/sda4_crypt
NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda4_crypt        253:0    0 445,9G  0 crypt 
├─vgubuntu-root   253:1    0 444,9G  0 lvm   /
└─vgubuntu-swap_1 253:2    0   980M  0 lvm   [SWAP]
$ lsblk --tree /dev/mapper/luks-0e17b44c-a9af-4da1-8f98-062552e1df7a 
NAME                                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a 253:3    0  1,8T  0 crypt /media/milosz/5a7dd0ba-8137-4416-82dd-fc4bcf982ec9

Combine lsblk list and tree mode to display encrypted volumes.

$ lsblk --list --output NAME,TYPE --noheading | awk '$2 == "crypt" {print $1}' | xargs -I{} lsblk --tree /dev/mapper/{} | column -t | sed '2,${/^NAME/d}'
NAME                                       MAJ:MIN  RM  SIZE    RO  TYPE   MOUNTPOINT
sda4_crypt                                 253:0    0   445,9G  0   crypt  
├─vgubuntu-root                            253:1    0   444,9G  0   lvm    /
└─vgubuntu-swap_1                          253:2    0   980M    0   lvm    [SWAP]
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a  253:3    0   1,8T    0   crypt  /media/milosz/5a7dd0ba-8137-4416-82dd-fc4bcf982ec

Use lsblk JSON output to extract this information.

$ lsblk --json --output-all| jq --raw-output  '[.. | select(.fstype?) | select(.children[]?) | {parent:{name,fstype,path},device:(.children[]| {name,fstype,path})}] | unique | group_by(.parent.name) | .[] | {parent: .[0].parent,device:[.[].device]}'
{                                                                                                                                                                                                                                  
  "parent": {                                                                                                                                                                                                                      
    "name": "sda4",                                                                                                                                                                                                                
    "fstype": "crypto_LUKS",
    "path": "/dev/sda4"
  },
  "device": [
    {
      "name": "sda4_crypt",
      "fstype": "LVM2_member",
      "path": "/dev/mapper/sda4_crypt"
    }
  ]
}
{
  "parent": {
    "name": "sda4_crypt",
    "fstype": "LVM2_member",
    "path": "/dev/mapper/sda4_crypt"
  },
  "device": [
    {
      "name": "vgubuntu-root",
      "fstype": "ext4",
      "path": "/dev/mapper/vgubuntu-root"
    },
    {
      "name": "vgubuntu-swap_1",
      "fstype": "swap",
      "path": "/dev/mapper/vgubuntu-swap_1"
    }
  ]
}
{
  "parent": {
    "name": "sdc1",
    "fstype": "crypto_LUKS",
    "path": "/dev/sdc1"
  },
  "device": [
    {
      "name": "luks-0e17b44c-a9af-4da1-8f98-062552e1df7a",
      "fstype": "ext4",
      "path": "/dev/mapper/luks-0e17b44c-a9af-4da1-8f98-062552e1df7a"
    }
  ]
}

Low level logical volume management

Use dmsetup list mode to display encrypted devices.

$ sudo dmsetup ls --target crypt
sda4_crypt      (253, 0)
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a       (253, 3)

Use dmsetup tree mode to display encrypted devices and volumes.

$ sudo dmsetup ls --tree
vgubuntu-root (253:1)
 └─sda4_crypt (253:0)
    └─ (8:4)
vgubuntu-swap_1 (253:2)
 └─sda4_crypt (253:0)
    └─ (8:4)
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a (253:3)
 └─ (8:33)

Use dmsetup to inspect specific volume.

$ sudo dmsetup info --major 253 --minor 1
Name:              vgubuntu-root
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        1
Event number:      0
Major, minor:      253, 1
Number of targets: 1
UUID: LVM-UZH27ydsKGowhUzXdj5FCH30d0KvLdIOEkV3CCZDS4SISA7ZOnVpcty16K6QnM3M

Use dmsetup list mode to list LVM volumes on an encrypted device.

$ sudo dmsetup ls --target linear
vgubuntu-root   (253, 1)
vgubuntu-swap_1 (253, 2)

Use dmsetup to display encrypted volumes with dependencies.

$ sudo dmsetup deps
sda4_crypt: 1 dependencies      : (8, 4)
vgubuntu-root: 1 dependencies   : (253, 0)
vgubuntu-swap_1: 1 dependencies : (253, 0)
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a: 1 dependencies       : (8, 33)

Use dmsetup to inspect encrypted device.

$ sudo dmsetup info  --major 253 --minor 0
Name:              sda4_crypt
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        2
Event number:      0
Major, minor:      253, 0
Number of targets: 1
UUID: CRYPT-LUKS2-67369c73f0a04ead907c507246c0c43b-sda4_crypt

Use dmsetup to determine parent of the encrypted volume.

$ sudo dmsetup info -c --noheadings -o name --major 253 --minor 0
sda4_crypt

Use dmsetup to inspect volumes that depend on encrypted devices.

$ sudo dmsetup ls --target linear | sudo awk '{CMD="dmsetup deps " $1; CMD |getline RES; close(CMD); match(RES,/([0-9]+) dependencies[ \t]+: \(([0-9]*), ([0-9]+)\)/,arr); CMD2="dmsetup info -c --noheadings -o name --major " arr[2] " --minor " arr[3]; CMD2| getline RES2; close(CMD2); print $0 " -> " RES2 " (" arr[2] ", " arr[3] ")"}' | column -t 
vgubuntu-root    (253,  1)  ->  sda4_crypt  (253,  0)
vgubuntu-swap_1  (253,  2)  ->  sda4_crypt  (253,  0)

Use dmsetup to inspect all encrypted devices and volumes.

$ sudo dmsetup deps | sudo awk -F: '{CMD="dmsetup deps " $1; CMD |getline RES; close(CMD); match(RES,/([0-9]+) dependencies[ \t]+: \(([0-9]*), ([0-9]+)\)/,arr); RES2="";CMD2="dmsetup info -c --noheadings -o name --major " arr[2] " --minor " arr[3] " 2>/dev/null"; CMD2| getline RES2; close(CMD2); print $0 " -> " RES2 " (" arr[2] ", " arr[3] ")"}' | column -t
sda4_crypt:                                 1  dependencies  :  (8,    4)   ->  (8,         4)     
vgubuntu-root:                              1  dependencies  :  (253,  0)   ->  sda4_crypt  (253,  0)
vgubuntu-swap_1:                            1  dependencies  :  (253,  0)   ->  sda4_crypt  (253,  0)
luks-0e17b44c-a9af-4da1-8f98-062552e1df7a:  1  dependencies  :  (8,    33)  ->  (8,         33) 

Not all information is available here.

$ sudo dmsetup  info --major  8 --minor  33
Device does not exist.
Command failed.

Use udevadm to get identify this device.

$ udevadm info --root --query name /sys/dev/block/8:33
/dev/sdc1