Package: cryptsetup Version: 2:1.4.3-4 Severity: wishlist Tags: patch Dear Maintainer,
Could you please consider adding support for specifying the --key-slot option in /etc/crypttab? Since key slots are tested sequentially, decrypting a device in crypttab using a key file for a higher-numbered slot can take quite a while (depending on the number of iterations on all earlier key slots) and slow down boot noticeably for automatic mappings. Being able to specify the key slot to which the keyfile/keyscript matches would speed this up significantly. I've attached a simple patch to implement the option as "keyslot". Cheers, Kevin
Index: debian/doc/crypttab.xml =================================================================== --- debian/doc/crypttab.xml (revision 958) +++ debian/doc/crypttab.xml (working copy) @@ -346,6 +346,15 @@ </listitem> </varlistentry> + <varlistentry> + <term><emphasis>keyslot</emphasis>=<slot></term> + <listitem> + <simpara> + Key slot (ignored for non-LUKS devices). See <command>cryptsetup -S</command>. + </simpara> + </listitem> + </varlistentry> + </variablelist> </refsect1> Index: debian/cryptdisks.functions =================================================================== --- debian/cryptdisks.functions (revision 958) +++ debian/cryptdisks.functions (working copy) @@ -30,6 +30,7 @@ # Strip comments - https://bugs.launchpad.net/bugs/185380 opts=$(echo -n $1 | sed 's/ *#.*//') PARAMS="" + LUKSPARAMS="" PLAINPARAMS="" CHECK="" CHECKARGS="" @@ -181,6 +182,13 @@ return 1 fi ;; + keyslot) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for keyslot option, skipping" + return 1 + fi + LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE" + ;; esac CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" @@ -286,11 +294,11 @@ while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do if [ -n "$KEYSCRIPT" ]; then - if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then + if $KEYSCRIPT "$keyscriptarg" | cryptsetup $LUKSPARAMS $PARAMS luksOpen "$src" "${dst}_unformatted"; then break fi else - if cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then + if cryptsetup $LUKSPARAMS $PARAMS luksOpen "$src" "${dst}_unformatted"; then break fi fi