[pkg-cryptsetup-devel] Bug#601314: Bug#601314: please allow adding extra devices to conf.d/cryptsetup in your hook script

Sun Feb 27 15:12:07 UTC 2011

Hey Marc,

On 24/02/2011 Marc Haber wrote:
> On Thu, Feb 24, 2011 at 12:13:22PM +0100, Jonas Meurer wrote:
> > On 25/10/2010 Marc Haber wrote:
> > > I have a system where the keyscript used to unlock the root fs needs
> > > another crypto file system to be unlocked previously. To do that, I
> > > would like to have that file system added to conf.d/cryptsetup, and to
> > > do that, I'd have to go though pretty much the same motions that
> > > /usr/share/initramfs-tools/hooks/cryptroot already does.
> > > 
> > > Please consider adding a method to have your hook script handle
> > > additional devices other than the root and the resume devices. It
> > > would be necessary to set some marker to tell the hook script to
> > > handle that device as well. Searching /etc/fstab would probably not be
> > > appropriate since my device will unmounted and locked again after the
> > > root was mounted.
> > > 
> > > Having the device in crypttab, specially marked, would probably be ok.
> > > 
> > > Please indicate how you would like to tell the hook script about
> > > additional devices to handle, and I'll provide a patch.
> > 
> > What kind of device are you talking about? Another dm-crypt encrypted
> > device which contains the key?
> 
> Nearly. It's another dm-crypt encrypted device which contains part of
> the key, which needs to be unlocked before the keyscript that is used
> to unlock the root fs can build the key for the root fs.
> 
> > If this is just about additional dm-crypt devices, which should be
> > unlocked in initramfs along with the root and suspend devices,
> 
> This additional dm-crypt device needs to be successfully unlocked
> before the unlock process for the root and suspend devices can start.
> Order is important because before the additional device isn't open,
> there ain't a complete key to unlock root.

To be honest, this sounds like a rather special setup to me. I not sure
whether supporting more random custom setups justifies more and more
crypttab options.

Your setup sounds like a keyscript would be the perfect solution for
you. Why not simply write a keyscript which does all preliminary steps
and outputs the key? You could even patch the passdev keyscript (it is
designed to fetch a key from some external device) to support encrypted
devices. I'm happy to add new and/or patched keyscripts to the debian
package, given that they're generally useful.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110227/0eb59973/attachment.pgp>