[arch-projects] [initscripts][RFC] cryptsetup: deprecate old syntax and default to the systemd one

Matthew Monaco dgbaley27 at 0x01b.net
Sat Jul 28 17:12:01 EDT 2012


On 07/28/2012 12:58 PM, Heiko Baums wrote:
> Am Sat, 28 Jul 2012 19:44:01 +0200
> schrieb Christoph Vigano <mail at cvigano.de>:
> 
>> According to crypttab(5):
>> "size=
>> Specifies the key size in bits; see cryptsetup(8) for possible values
>> and the default value of this option."
>>
>> As it is custom in cryptography, key sizes are given in bits, like RSA
>> 4096 which means the key is 512 bytes long.
>>
>> If your former size argument was given in bytes, convert that number
>> to bits and try again.
> 
> Btw., I read over it, you mentioned man cryptsetup. I guess you're
> mixing up two different things. The cryptsetup parameter size is
> something completely different and has nothing to do with the key size
> and with this issue.
> 
> We're talking here about the key size, that is how many bits or bytes
> have to be read raw from an USB stick. So we're talking here about the
> dd parameters skip and count.
> 
> Heiko
> 

This is really annoying, but the original Debian format for crypttab uses "size"
to correspond to --keyfile-size. It would be nice if systemd changed this so all
of the options correspond one-to-one. To make matters worse, the variable name
in the source code of sysd that stores this param is called "key_size," which is
an entirely different option to cryptsetup altogether!

For the legacy format of <dev>:<offset>:<length> the corresponding options are
--keyfile-offset and --keyfile-size, so in crypttab you want
keyfile-offset=<bytes>,size=<bytes>.

In summary all of these options are:

 --keyfile-offset, keyfile-offset=
 Number of bytes to skip before reading from key-file

 --keyfile-size, size=
 Number of bytes to read from key-file

 --size, (not available in crypttab)
 The number of 512-byte sectors of the mapped block device, defaults to all
 available space from the underlying device, and does not apply to mapping
 a LUKS volume.

 --offset, (not available in crypttab)
 Similar to --size, number of 512-byte sectors to skip from the underlying
 block device before mapping. There is also --skip which is similar but has some
 subtle differences.

 --key-size, (not available in crypttab)
 Number of bits -- must be a multiple of 8 -- of the internal key used for the
 cipher


Stream-of-conscience... it looks like systemd-cryptsetup might use size= for
both --key-size and --keyfile-size. I'm currently trying to figure out what the
difference between crypt_activate_by_volume_key() and crypt_activate_by_keyfile
are. IIRC that former might be for reading from stdin, which is handled
differently than reading a file or a password interactively.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20120728/a221d6a8/attachment-0001.asc>


More information about the arch-projects mailing list