[arch-projects] crypttab key syntax

Matthew Monaco dgbaley27 at 0x01b.net
Thu Mar 22 18:22:56 EDT 2012 

Since we're going for systemd compatibility, we're going to need to change the
key syntax. It seems like there are two supported syntaxes which are handled a
little bit differently by the encrypt hook and initscripts.

1) <dev>:<fstype>:<file>

   I want to support this by adding a keydev= option. What remains is what to
   do when a key is not available and there is no keydev=. For a first go I
   think such a setup doesn't need to be supported, but eventually deriving a
   default will be good.

   The primary target here is to support having a keyfile for an encrypted /usr
   stored on root. This is a little tricky in the initcpio because it would be
   pretty undesirable from my perspective to tell the user such keys need to be
   /new_root/...

   One way to do this would be keydev=/dev/mapper/root, but this might mean
   mounting root to some temporary location, unmounting it, and then having
   initcpio pick up as normal after the hooks. Among other things, this would
   mount root before fsck.

2) <dev>:<offset>:<length>

   I want to drop support for this. The length field is supported by
   cryptsetup's --keyfile-size option.

   I don't see <offset> being widely used as its not even documented. Coupled
   with systemd not supporting anything like this, I'd like to cowardly refuse
   to implement it.

   I looked into adding a --keyfile-offset option to cryptsetup directly. It
   doesn't look too bad but does require and API change to libcryptsetup. We'll
   not worry about this now.

   So this means no more generating keyfiles with dd and piping them into
   cryptsetup, they can all just be passed via the --key-file=<real_filename>
   option.

3) -, none, and ASK will all mean interactive.

4) SWAP will be held onto for compatibility and will imply /dev/urandom. (This
   is probably pointless though because the options field won't be compatible
   and crypttab will need editing anyway)

5) *. We're dropping plaintext password support. Anything other than
   /*,-,none,ASK,SWAP will either be an error, or fall back to interactive.

More information about the arch-projects mailing list