Am Wed, 11 Jul 2012 11:13:27 +0200 schrieb Tom Gundersen <teg@jklm.no>:
Damn, I pasted the wrong link. Sorry about that. It should have been: <http://0pointer.de/public/systemd-man/crypttab.html>.
So, to decrypt /dev/sda1 using a 1024 bits key stored at an offset of 1MB on the key usb drive /dev/sdd, you would do
secret /dev/sda1 /dev/sdd size=1024,keyfile-offset=1024
The missing keyfile-offset entry from the link is:
"keyfile-offset= Specifies the number of bytes to skip at the start of the keyfile; see cryptsetup(8) for possible values and the default value of this option."
Now that the new initscripts are in [core], this new syntax doesn't work. I transfered the same values from my old crypttab syntax into the new one and all I get is this message: Unlocking home Failed to activate: Invalid argument Unlocking of home failed. The same for any other LUKS container except for / of course. After that it tries to mount the filesystems in these containers and falls into the maintenance prompt, because it obviously can't find those filesystems. Well, a fallback to a prompt for entering a password manually is missing in initscripts, too, but initscripts booted at least into the / partition, so that the other containers could be opened and the filesystems could be mounted manually. The old syntax works without any problems. Instead of /dev/sdd in your example I took /dev/usbkey which is a symlink set by a udev rule written by me. There's no partition on the USB stick and the USB stick is fully written with random characters. So the key must be read by dd with exactly those values as it is done by the initscripts. Removing the red warning, that the old syntax is used, would probably be good, and a feedback after the containers are successfully opened would also be nice like it was before. Btw., how does systemd-cryptsetup handle the keyfile? Where is it written and is it being overwritten after it is used to unlock the container as it is done by initscripts? Heiko