---
- name: Encrypt multiple disks with LUKS
hosts: all
become: yes
vars:
luks_disks: # List of disks to encrypt
- /dev/sdb
- /dev/sdc
luks_password: secret_password # Replace or use a vault/encrypted variable
mount_points: # List of mount points corresponding to the disks
- /mnt/disk1
- /mnt/disk2
tasks:
- name: Ensure required packages are installed
ansible.builtin.yum:
name:
- cryptsetup
state: present
- name: Create LUKS encryption on disks
ansible.builtin.command:
cmd: "echo {{ luks_password }} | cryptsetup luksFormat {{ item }} -q"
loop: "{{ luks_disks }}"
ignore_errors: no
- name: Open LUKS-encrypted disks
ansible.builtin.command:
cmd: "echo {{ luks_password }} | cryptsetup luksOpen {{ item }} luks_{{ item | regex_replace('/dev/', '') }}"
loop: "{{ luks_disks }}"
- name: Format the LUKS-encrypted devices with ext4 filesystem
ansible.builtin.command:
cmd: "mkfs.ext4 /dev/mapper/luks_{{ item | regex_replace('/dev/', '') }}"
loop: "{{ luks_disks }}"
- name: Create mount points
ansible.builtin.file:
path: "{{ item }}"
state: directory
loop: "{{ mount_points }}"
- name: Mount the LUKS devices to mount points
ansible.builtin.mount:
path: "{{ item.1 }}"
src: "/dev/mapper/luks_{{ item.0 | regex_replace('/dev/', '') }}"
fstype: ext4
state: mounted
loop: "{{ luks_disks | zip(mount_points) | list }}"
- name: Add entries to /etc/crypttab
ansible.builtin.lineinfile:
path: /etc/crypttab
line: "luks_{{ item | regex_replace('/dev/', '') }} {{ item }} none luks"
loop: "{{ luks_disks }}"
create: yes
- name: Add entries to /etc/fstab
ansible.builtin.lineinfile:
path: /etc/fstab
line: "/dev/mapper/luks_{{ item.0 | regex_replace('/dev/', '') }} {{ item.1 }} ext4 defaults 0 0"
loop: "{{ luks_disks | zip(mount_points) | list }}"
create: yes
a
## output
Processing /dev/sdc...
Encrypting /dev/sdc...
WARNING!
========
This will overwrite data on /dev/sdc irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Opening /dev/sdc...
Device luks_disk_0 already exists.
Creating filesystem on /dev/mapper/luks_disk_0...
mke2fs 1.46.5 (30-Dec-2021)
/dev/mapper/luks_disk_0 is mounted; will not make a filesystem here!
Adding /dev/sdc to /etc/fstab...
Mounting /mnt/disk2...
mount: (hint) your fstab has been modified, but systemd still uses
the old version; use 'systemctl daemon-reload' to reload.
Processing /dev/sdd...
Encrypting /dev/sdd...
WARNING!
========
This will overwrite data on /dev/sdd irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Opening /dev/sdd...
Creating filesystem on /dev/mapper/luks_disk_1...
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 2617344 4k blocks and 655360 inodes
Filesystem UUID: d0bb5504-abf9-4e00-8670-59d8fa92b883
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Adding /dev/sdd to /etc/fstab...
Mounting /mnt/disk3...
mount: (hint) your fstab has been modified, but systemd still uses
the old version; use 'systemctl daemon-reload' to reload.
All disks have been encrypted and mounted.
Infra Cloud Solutions 