From: Matthew Monaco <matthew.monaco@0x01b.net> I worked with Dave and Tom this past weekend to clean up and enhance encrypted volume handling. There are quite a few "patches" here, and more to come against initscripts. All of this fixes a handful of bugs, adds new features, does some refactoring. In summary, I wrote a new package called 'cryptmount.' The intention is for it to depend on cryptsetup and to provide the encrypt hooks for mkinitcpio. Additionally initscripts will depend on cryptmount (optdepends will work too). The cryptmount code is here [1] and the initscripts changes are here [2]. There are a few goals: 1) Use the same code for the mkinitcpio encrypt hook and initscripts. 2) Allow for interoperability with systemd's crypttab format. This is accomplished without any forced changes on the user (with the exception of plaintext passwords in crypttab). 3) Allow the random seed to be restored before doing things like setting up a swap volume which uses /dev/urandom as a password. 4) If possible, allow for encrypted /usr from the initrd. This depends on Dave's working branch of mkinitcpio which provides late hooks (and cleanup hooks). *5*) Do not drop support for current configurations. This is important. The only thing that is dropped is storing a plain text password in crypttab. Whether your options line in crypttab is literally for cryptsetup (--size=100 --cipher=...) or a comma separated list (size=100,cipher=...), your configuration will be supported. That said, if you see any holes in this statement, please let me know and I will address it. This addresses the following bugs, there may be more, and you may question that it does for some of these: FS#17131 - Restore random seed before using decryption FS#24700 - Allow UUID for cryptdevice In addition we support UUID,PARTUUID,LABEL for both the encrypted device AND the passphrase if it is on an external device. FS#27137 - I think a dup of the above. FS#23182 - Multiple device support for the initrd The encrypt hook included supports root, /usr, and an arbitrary number of encrypted mappings. FS#15738 - More or less similar to above FS#21936 - Don't immediately revert to interactive pw if key device is not available. All devices are resolved and waited on IFF udevd is running. This goes for the initrd and rc.sysinit. FS#21198 - Mount key devices if needed. This is done whenever the key is a file on another device and that device is not already mounted. FS#21513 - Provide a man page for crypttab. I wrote one and for cryptmount. I have been testing this for the past week, but I'm sure there are some bugs. Please report any problems you see (or experience if you are able to test). Also, if you see an opportunity for improvements in efficiency, cleanup, or additional functionality, let me know. [1] https://github.com/mmonaco/cryptmount/tree/master [2] https://github.com/mmonaco/initscripts/tree/crypto -- 1.7.10.2