How To Set Filesystem Passphrase from a Secrets Management Tool

Overview

The filesystem passphrase is required to mount your filesystem. You can either supply the passphrase interactively on the command line or specify it in the OBJECTIVEFS_PASSPHRASE file in your config directory (e.g. /etc/objectivefs.env/OBJECTIVEFS_PASSPHRASE).

ObjectiveFS also supports using an external tool, such as Vault, Keywhiz, Keybase, Confidant or AWS Parameter Store, to retrieve your filesystem passphrase. This document describes how to set your filesystem passphrase with these secrets management tools.

What you need

  1. The config directory (default /etc/objectivefs.env) has been set up (see config).
  2. The config directory is owned by the user executing the mount command (e.g. root).
  3. The config directory is not writable by group or others.
  4. The OBJECTIVEFS_PASSPHRASE file in the config directory is not readable or writable by group or others.

Steps

  1. Create a file called /etc/objectivefs.env/OBJECTIVEFS_PASSPHRASE with the content:
    #!<full path to your program>
    When you run the mount command, ObjectiveFS will supply the filesystem name to the program (e.g. s3://filesystem_name) and expects to receive the filesystem passphrase on stdout. Leading and trailing whitespace will be removed. Example:
    #!/usr/sbin/fetch_from_aws_ssm
  2. Verify the program reference by step 1 is:
    a. owned by the user executing the mount command (e.g. root), and
    b. not readable or writable by group or others.

Tips

  1. The secrets management program can use the first argument (provided by ObjectiveFS) to look up the correct passphrase for the filesystem. This allows you to use the same program for multiple filesystems.
  2. If you get a permission error while mounting your filesystem, you can use the -v option for more details.
$ sudo mount.objectivefs -v myfs /ofs
WARN: bad permissions on '/etc/objectivefs.env/OBJECTIVEFS_PASSPHRASE'; other can read
mount.objectivefs: passphrase file has bad permissions, can not execute passphrase program

Reference


last updated by ObjectiveFS staff, June 3, 2021
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at support@objectivefs.com