[arch-projects] [initscripts][RFC] cryptsetup: deprecate old syntax and default to the systemd one
dgbaley27 at 0x01b.net
Sat Jul 28 17:12:01 EDT 2012
On 07/28/2012 12:58 PM, Heiko Baums wrote:
> Am Sat, 28 Jul 2012 19:44:01 +0200
> schrieb Christoph Vigano <mail at cvigano.de>:
>> According to crypttab(5):
>> Specifies the key size in bits; see cryptsetup(8) for possible values
>> and the default value of this option."
>> As it is custom in cryptography, key sizes are given in bits, like RSA
>> 4096 which means the key is 512 bytes long.
>> If your former size argument was given in bytes, convert that number
>> to bits and try again.
> Btw., I read over it, you mentioned man cryptsetup. I guess you're
> mixing up two different things. The cryptsetup parameter size is
> something completely different and has nothing to do with the key size
> and with this issue.
> We're talking here about the key size, that is how many bits or bytes
> have to be read raw from an USB stick. So we're talking here about the
> dd parameters skip and count.
This is really annoying, but the original Debian format for crypttab uses "size"
to correspond to --keyfile-size. It would be nice if systemd changed this so all
of the options correspond one-to-one. To make matters worse, the variable name
in the source code of sysd that stores this param is called "key_size," which is
an entirely different option to cryptsetup altogether!
For the legacy format of <dev>:<offset>:<length> the corresponding options are
--keyfile-offset and --keyfile-size, so in crypttab you want
In summary all of these options are:
Number of bytes to skip before reading from key-file
Number of bytes to read from key-file
--size, (not available in crypttab)
The number of 512-byte sectors of the mapped block device, defaults to all
available space from the underlying device, and does not apply to mapping
a LUKS volume.
--offset, (not available in crypttab)
Similar to --size, number of 512-byte sectors to skip from the underlying
block device before mapping. There is also --skip which is similar but has some
--key-size, (not available in crypttab)
Number of bits -- must be a multiple of 8 -- of the internal key used for the
Stream-of-conscience... it looks like systemd-cryptsetup might use size= for
both --key-size and --keyfile-size. I'm currently trying to figure out what the
difference between crypt_activate_by_volume_key() and crypt_activate_by_keyfile
are. IIRC that former might be for reading from stdin, which is handled
differently than reading a file or a password interactively.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 900 bytes
Desc: OpenPGP digital signature
More information about the arch-projects