Mounting a TrueCrypt container using Systemd

I have a number of services which require a TrueCrypt container to be mounted before they can operate. For example, I have transmission-daemon (inside a docker container) configured so that the downloads are put under the TrueCrypt mount point. Using Systemd I can specify this dependency and ensure that if I attempt to start transmission-daemon and the TrueCrypt container is not yet mounted, it will automatically do that. It sounds simple, but the fact that I want to have to type the TrueCrypt passphrase in every time it's mounted (otherwise the passphrase or key would need to be stored on the server, which would negate the benefit of TrueCrypt) introduces some complexity.

First, I needed to create the TrueCrypt Systemd unit file.

truecrypt-hdd.service

  
[Unit]
Description=TrueCrypt external HDD mount service

[Service]
Type=oneshot  
RemainAfterExit=yes  
ExecStartPre=-/usr/bin/truecrypt -d  
ExecStart=/bin/sh -c '/usr/bin/truecrypt -t -t --protect-hidden=no -k "" --mount -p `systemd-ask-password "Please enter password for truecrypt volume"` /dev/sdb1 /media/tc1'  
ExecStop=/usr/bin/truecrypt -d

[Install]
WantedBy=multi-user.target  

The first thing I will point out is that the service is of oneshot type, and have RemainAfterExit set to yes. This means that even though the TrueCrypt process exits after the mount has been performed, the service remains active and we can stop the service and thus dismount the TrueCrypt container by simply running systemd stop truecrypt-hdd.

Secondly, you may notice that after the -p option in the ExecStart configuration option we have another command called systemd-ask-password. Using systemd-ask-password means that when the service is started, we will be prompted for the TrueCrypt passphrase.

Then, inside the unit file that I have for transmission-daemon, I declared the dependency on this truecrypt-hdd service.

transmissiond.service

Note: Only the [Unit] section is shown for brevity.

  
[Unit]
Description=Transmission BitTorrent Daemon Docker container  
After=docker.service truecrypt-hdd.service  
Requires=docker.service truecrypt-hdd.service  

So after running systemctl daemon-reload we now have the transmissiond service dependent on the truecrypt-hdd service being loaded. If we run systemctl start transmissiond you will notice we get asked for the TrueCrypt passphrase!

The next step for me is to figure out how to start both of these services on boot and allow the TrueCrypt passphrase to be entered over a SSH connection. Hard, but it seems possible from a few Google searches.