[arch-projects] [initscripts] next release

[Tom Gundersen]

Hi Heiko,

On Sun, Nov 6, 2011 at 8:18 AM, Heiko Baums <lists at baums-on-web.de> wrote:
>> Yeah, I think I'll add a warning when a passphrase is used. Having
>> looked through it, that should take care of most of my gripes.
>
> Having passphrases in an unencrypted text file on the harddisk
> like /etc/crypttab is certainly not the best method. But only offering
> key files is insufficient. The currently existing methods of
> storing and entering passphrases or key files must be kept.

Backwards compatibility will be kept. The suggestion was to add a
warning if the passphrase is stored inline in /etc/crypttab rather
than in a separate file.

> That implies entering passphrases with the keyboard, storing/reading key
> files on/from USB sticks and storing/reading keys raw on/from USB sticks
> with dd must still be possible for every LUKS container.

I agree.

> And what's currently missing in /etc/rc.sysinit is a fallback to asking
> for a passphrase if a key can't be read, e.g. because it has been
> forgotten to plug in the USB stick. This should be added, too, as it
> is done in the encrypt hook.

That would be very useful.

> I admit I have forgotten to implement it when I've written the
> rc.sysinit patches for reading the keys from the USB stick. I found it
> out only recently, and would have written a patch for it in the coming
> days if you wouldn't want to completely rewrite this cryptsetup system.

I will probably keep most of the code (I really don't want to touch
this stuff), but might have to reorganize a bit (e.g. separate out the
swap stuff).

> Tell me, if I shall write this patch anyway.

The patches would definitely be appreciated, but it would probably
make the most sense to wait for the restructuring to hit master so we
avoid too many merge conflicts.

Cheers,

Tom