[arch-projects] [initscripts][RFC] cryptsetup: deprecate old syntax and default to the systemd one

Heiko Baums lists at baums-on-web.de
Sat Jul 28 01:18:27 EDT 2012


Am Wed, 11 Jul 2012 11:13:27 +0200
schrieb Tom Gundersen <teg at jklm.no>:

> Damn, I pasted the wrong link. Sorry about that. It should have been:
> <http://0pointer.de/public/systemd-man/crypttab.html>.
> 
> So, to decrypt /dev/sda1 using a 1024 bits key stored at an offset of
> 1MB on the key usb drive /dev/sdd, you would do
> 
> secret       /dev/sda1      /dev/sdd
> size=1024,keyfile-offset=1024
> 
> The missing keyfile-offset entry from the link is:
> 
> "keyfile-offset=
>            Specifies the number of bytes to skip at the start of the
> keyfile; see cryptsetup(8) for possible values and the default value
> of this option."

Now that the new initscripts are in [core], this new syntax doesn't
work.

I transfered the same values from my old crypttab syntax into the new
one and all I get is this message:

Unlocking home
Failed to activate: Invalid argument
Unlocking of home failed.

The same for any other LUKS container except for / of course.

After that it tries to mount the filesystems in these containers and
falls into the maintenance prompt, because it obviously can't find
those filesystems. Well, a fallback to a prompt for entering a password
manually is missing in initscripts, too, but initscripts booted at
least into the / partition, so that the other containers could be
opened and the filesystems could be mounted manually.

The old syntax works without any problems. Instead of /dev/sdd in your
example I took /dev/usbkey which is a symlink set by a udev rule written
by me.

There's no partition on the USB stick and the USB stick is fully
written with random characters. So the key must be read by dd with
exactly those values as it is done by the initscripts.

Removing the red warning, that the old syntax is used, would probably
be good, and a feedback after the containers are successfully opened
would also be nice like it was before.

Btw., how does systemd-cryptsetup handle the keyfile? Where is it
written and is it being overwritten after it is used to unlock the
container as it is done by initscripts?

Heiko


More information about the arch-projects mailing list