[Pkg-cryptsetup-devel] Bug#465902: Bug#465902: cryptroot remote unlocking on boot feature
debian at x.ray.net
debian at x.ray.net
Mon Feb 18 11:24:26 UTC 2008
hi!
jonas wrote:
> Ok, so the script will be executed by the initramfs script provided by
> dropbear?
it has to be called manually after logging in (using it as the login
shell ofc could be done, but if a real shell is provided this imho
actually adds quite some more value - i.e. other problems occuring
during the boot process can be fixed from remote, too), but all in all
it is (intended to be) called from the shell provided by the dropbear in
the initramfs, yes.
i.e. machine (re)boots, init starts dropbear, init starts cryptsetup
which prompts for cryptroot password on console. boot process just sits
there forever because nobody is at the console. then a log in from
remote via dropbear, user calls cryptunlock on the shell which calls
cryptsetup, and if target was unlocked, the cryptsetup which is waiting
for input at the console is killed and the boot process continues.
> I think that cryptunlock is even more intuitive ;-) Would you accept
> this name as well?
sure, done.
patch is attached.
david wrote:
> the patch idea looks cool, but I'm wondering if it would perhaps be better implemented as a keyscript? See README.initramfs for some documentation on how the keyscripts work...ideally that would mean that no changes would be necessary to the main cryptsetup initramfs scripts...
i beleive it's not a bad idea that the goal should be to implement a
method to be able to enter the passphrase via ssh, too - with emphasis
on the 'too', i.e. without disabling the prompt on the console. looking
at the current script, the cryptkeyscript part does not look like it's
better suited for this to me...
a different approach would be to get access to the console via ssh. but
thinking about a console running in a screen or something like that
convinced me that the 'do it in the background, then kill the dangling
console process' is - at least for now - the better approach.
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptsetup_2:1.0.6~pre1-1.x.diff
Type: text/x-patch
Size: 1820 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20080218/c63e8085/attachment.bin
More information about the Pkg-cryptsetup-devel
mailing list