[arch-projects] [initscripts][RFC] cryptsetup: deprecate old syntax and default to the systemd one

Tom Gundersen teg at jklm.no
Sat Jul 28 07:02:38 EDT 2012


On Jul 28, 2012 7:18 AM, "Heiko Baums" <lists at baums-on-web.de> wrote:
>
> Am Wed, 11 Jul 2012 11:13:27 +0200
> schrieb Tom Gundersen <teg at jklm.no>:
>
> > Damn, I pasted the wrong link. Sorry about that. It should have been:
> > <http://0pointer.de/public/systemd-man/crypttab.html>.
> >
> > So, to decrypt /dev/sda1 using a 1024 bits key stored at an offset of
> > 1MB on the key usb drive /dev/sdd, you would do
> >
> > secret       /dev/sda1      /dev/sdd
> > size=1024,keyfile-offset=1024
> >
> > The missing keyfile-offset entry from the link is:
> >
> > "keyfile-offset=
> >            Specifies the number of bytes to skip at the start of the
> > keyfile; see cryptsetup(8) for possible values and the default value
> > of this option."
>
> Now that the new initscripts are in [core], this new syntax doesn't
> work.
>
> I transfered the same values from my old crypttab syntax into the new
> one and all I get is this message:
>
> Unlocking home
> Failed to activate: Invalid argument
> Unlocking of home failed.
>
> The same for any other LUKS container except for / of course.

Could you please include the old and the new syntax you use so I can
understand the problem?

> After that it tries to mount the filesystems in these containers and
> falls into the maintenance prompt, because it obviously can't find
> those filesystems. Well, a fallback to a prompt for entering a password
> manually is missing in initscripts, too, but initscripts booted at
> least into the / partition, so that the other containers could be
> opened and the filesystems could be mounted manually.
>
> The old syntax works without any problems. Instead of /dev/sdd in your
> example I took /dev/usbkey which is a symlink set by a udev rule written
> by me.
>
> There's no partition on the USB stick and the USB stick is fully
> written with random characters. So the key must be read by dd with
> exactly those values as it is done by the initscripts.
>
> Removing the red warning, that the old syntax is used, would probably
> be good, and a feedback after the containers are successfully opened
> would also be nice like it was before.
>
> Btw., how does systemd-cryptsetup handle the keyfile? Where is it
> written and is it being overwritten after it is used to unlock the
> container as it is done by initscripts?

The key file is never written anywhere.

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20120728/6ca1c38f/attachment.html>


More information about the arch-projects mailing list