Bug#704470: cryptsetup: Please support specifying key-slot in crypttab

Mon, 01 Apr 2013 08:42:17 -0700 

Package: cryptsetup
Version: 2:1.4.3-4
Severity: wishlist
Tags: patch

Dear Maintainer,

Could you please consider adding support for specifying the --key-slot
option in /etc/crypttab?  Since key slots are tested sequentially,
decrypting a device in crypttab using a key file for a higher-numbered
slot can take quite a while (depending on the number of iterations on
all earlier key slots) and slow down boot noticeably for automatic
mappings.  Being able to specify the key slot to which the
keyfile/keyscript matches would speed this up significantly.

I've attached a simple patch to implement the option as "keyslot".

Cheers,
Kevin

Index: debian/doc/crypttab.xml
===================================================================
--- debian/doc/crypttab.xml	(revision 958)
+++ debian/doc/crypttab.xml	(working copy)
@@ -346,6 +346,15 @@
     </listitem>
    </varlistentry>
 
+   <varlistentry>
+    <term><emphasis>keyslot</emphasis>=&lt;slot&gt;</term>
+    <listitem>
+     <simpara>
+      Key slot (ignored for non-LUKS devices). See <command>cryptsetup -S</command>.
+     </simpara>
+    </listitem>
+   </varlistentry>
+
   </variablelist>
  </refsect1>
 
Index: debian/cryptdisks.functions
===================================================================
--- debian/cryptdisks.functions	(revision 958)
+++ debian/cryptdisks.functions	(working copy)
@@ -30,6 +30,7 @@
 	# Strip comments - https://bugs.launchpad.net/bugs/185380
 	opts=$(echo -n $1 | sed 's/ *#.*//')
 	PARAMS=""
+	LUKSPARAMS=""
 	PLAINPARAMS=""
 	CHECK=""
 	CHECKARGS=""
@@ -181,6 +182,13 @@
 				return 1
 			fi
 			;;
+		keyslot)
+			if [ -z "$VALUE" ]; then
+				log_warning_msg "$dst: no value for keyslot option, skipping"
+				return 1
+			fi
+			LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE"
+			;;
 		esac
 
 		CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
@@ -286,11 +294,11 @@
 
 	while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do
 		if [ -n "$KEYSCRIPT" ]; then
-			if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
+			if $KEYSCRIPT "$keyscriptarg" | cryptsetup $LUKSPARAMS $PARAMS luksOpen "$src" "${dst}_unformatted"; then
 				break
 			fi
 		else
-			if cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
+			if cryptsetup $LUKSPARAMS $PARAMS luksOpen "$src" "${dst}_unformatted"; then
 				break
 			fi
 		fi

Reply via email to