Hi Heiko, On Sun, Nov 6, 2011 at 8:18 AM, Heiko Baums <lists@baums-on-web.de> wrote:
Yeah, I think I'll add a warning when a passphrase is used. Having looked through it, that should take care of most of my gripes.
Having passphrases in an unencrypted text file on the harddisk like /etc/crypttab is certainly not the best method. But only offering key files is insufficient. The currently existing methods of storing and entering passphrases or key files must be kept.
Backwards compatibility will be kept. The suggestion was to add a warning if the passphrase is stored inline in /etc/crypttab rather than in a separate file.
That implies entering passphrases with the keyboard, storing/reading key files on/from USB sticks and storing/reading keys raw on/from USB sticks with dd must still be possible for every LUKS container.
I agree.
And what's currently missing in /etc/rc.sysinit is a fallback to asking for a passphrase if a key can't be read, e.g. because it has been forgotten to plug in the USB stick. This should be added, too, as it is done in the encrypt hook.
That would be very useful.
I admit I have forgotten to implement it when I've written the rc.sysinit patches for reading the keys from the USB stick. I found it out only recently, and would have written a patch for it in the coming days if you wouldn't want to completely rewrite this cryptsetup system.
I will probably keep most of the code (I really don't want to touch this stuff), but might have to reorganize a bit (e.g. separate out the swap stuff).
Tell me, if I shall write this patch anyway.
The patches would definitely be appreciated, but it would probably make the most sense to wait for the restructuring to hit master so we avoid too many merge conflicts. Cheers, Tom