On Fri, 8 Jan 2016 14:24:52 +0100, Christian Seiler <christ...@iwakd.de> wrote: > - Instead it was proposed to use password agents (see [1]) for this. > > - Problem with that is that the password agents don't support > arbitrary binary data, which is needed for keys (they only support > plain text).
And there is no example code for a password agent aside of some proof of concept code in python (which is not recommended to use in production) and the whole concept breaks if the unlocking scheme for filesystem A involves unlocking filesystem B because it has part of the key. This is not a replacement for keyscripts, it is a triangle instead of a wheel. >As far as I can tell, this is a case where upstream's goal of creating >the best technical solution for a problem gets in the way of having >something that works at all. Amen. >and the reason why this didn't >affect Jessie much worse is that initramfs-tools still support >keyscript=, so unlocking the rootfs still works via this mechanism. Which leaves the issue of unlocking the other filesystems that need unlocking for the system to run. I have resorted to unlocking everything I need in the initramfs, which had the result of making initramfs more complex, not easier. Well done, systemd. >And it'd be one thing if a proper solution had been around the corner >and this feature had been missing for a couple of months, but it has >been years, and there is no perspective on when a patch for this would >be accepted upstream, because (from what I read on the mailing list) >they appear to want to have early-boot IPC before touching the >password agent code again - which means it could take another 2 or 3 >years. *sigh* >And yes, I get why what has been proposed upstream is better in the >long term, I don't. It introduces thousands of lines of code of complexity in early boot which already is hard enough to debug. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
