[arch-projects] crypttab key syntax
dgbaley27 at 0x01b.net
Thu Mar 22 18:22:56 EDT 2012
Since we're going for systemd compatibility, we're going to need to change the
key syntax. It seems like there are two supported syntaxes which are handled a
little bit differently by the encrypt hook and initscripts.
I want to support this by adding a keydev= option. What remains is what to
do when a key is not available and there is no keydev=. For a first go I
think such a setup doesn't need to be supported, but eventually deriving a
default will be good.
The primary target here is to support having a keyfile for an encrypted /usr
stored on root. This is a little tricky in the initcpio because it would be
pretty undesirable from my perspective to tell the user such keys need to be
One way to do this would be keydev=/dev/mapper/root, but this might mean
mounting root to some temporary location, unmounting it, and then having
initcpio pick up as normal after the hooks. Among other things, this would
mount root before fsck.
I want to drop support for this. The length field is supported by
cryptsetup's --keyfile-size option.
I don't see <offset> being widely used as its not even documented. Coupled
with systemd not supporting anything like this, I'd like to cowardly refuse
to implement it.
I looked into adding a --keyfile-offset option to cryptsetup directly. It
doesn't look too bad but does require and API change to libcryptsetup. We'll
not worry about this now.
So this means no more generating keyfiles with dd and piping them into
cryptsetup, they can all just be passed via the --key-file=<real_filename>
3) -, none, and ASK will all mean interactive.
4) SWAP will be held onto for compatibility and will imply /dev/urandom. (This
is probably pointless though because the options field won't be compatible
and crypttab will need editing anyway)
5) *. We're dropping plaintext password support. Anything other than
/*,-,none,ASK,SWAP will either be an error, or fall back to interactive.
More information about the arch-projects