Package: cryptsetup Version: 2:1.7.3-3 Tags: patch
Debian supports keyscript, systemd does not. Using keyscript for the root device results either in delays during boot or (sometimes) in boot errors. Someone suggested to use devices + keyfile-size, keyfile-offset [1] instead. However, the cryptroot hook does not pass those options to initramfs. Please consider adding keyfile-size, keyfile-offset to the supported options. [1] https://wiki.debianforum.de/Cryptsetup_mit_systemd_und_Schlüssel_auf_externem_USB-Stick
--- /tmp/cryptsetup_1.7.3-3/lib/cryptsetup/cryptdisks.functions 2016-12-09 01:18:17.000000000 +0100 +++ /lib/cryptsetup/cryptdisks.functions 2016-12-25 19:02:23.179147532 +0100 @@ -203,6 +203,20 @@ fi LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE" ;; + keyfile-size) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for keyfile-size option, skipping" + return 1 + fi + LUKSPARAMS="$LUKSPARAMS --keyfile-size $VALUE" + ;; + keyfile-offset) + if [ -z "$VALUE" ]; then + log_warning_msg "$dst: no value for keyfile-offset option, skipping" + return 1 + fi + LUKSPARAMS="$LUKSPARAMS --keyfile-offset $VALUE" + ;; tcrypthidden) TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-hidden" ;; @@ -213,7 +227,7 @@ CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" [ -z "$VALUE" ] && VALUE="yes" - eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\"" done export CRYPTTAB_OPTIONS
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/hooks/cryptroot 2016-12-09 01:18:17.000000000 +0100 +++ /usr/share/initramfs-tools/hooks/cryptroot 2016-12-25 19:03:12.954987653 +0100 @@ -444,8 +444,15 @@ resumedev) OPTIONS="$OPTIONS,$opt" ;; + keyfile-size=*) + OPTIONS="$OPTIONS,$opt" + ;; + keyfile-offset=*) + OPTIONS="$OPTIONS,$opt" + ;; *) # Presumably a non-supported option + echo "option not supported: $opt" >&2 ;; esac done @@ -473,25 +480,33 @@ key="/cryptroot-keyfiles/${target}.key" ;; *) - key=$(readlink -e "$key") + # only resolve sym-links for files, not for disks + if [ "$key" = "${key%/dev/disk/*}" ] ; then + key=$(readlink -e "$key") + fi # test whether $target is a root device (or parent of the root device) if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?rootdev(,.*)?$'; then - echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2 - return 1 + if [ "$key" = "${key%/dev/disk/*}" ] ; then + echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2 + return 1 + else + echo "cryptsetup: NOTE: root target $target uses a device, $key" >&2 + fi # test whether a) key file is not on root fs # or b) root fs is not encrypted elif [ "$(stat -c %m -- "$key" 2>/dev/null)" != / ] || ! node_or_pv_is_in_crypttab $rootdevs; then echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS, skipped" >&2 return 1 + else + if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then + # we'll be able to decrypt the device, but won't be able to use it for resuming + echo "cryptsetup: WARNING: resume device $source uses a key file" >&2 + fi + # prepend "/root" (to be substituted by the real root FS + # mountpoint "$rootmnt" in the boot script) to the + # absolute filename + key="/root$key" fi - if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then - # we'll be able to decrypt the device, but won't be able to use it for resuming - echo "cryptsetup: WARNING: resume device $source uses a key file" >&2 - fi - # prepend "/root" (to be substituted by the real root FS - # mountpoint "$rootmnt" in the boot script) to the - # absolute filename - key="/root$key" ;; esac OPTIONS="$OPTIONS,keyscript=cat"
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-09 01:18:17.000000000 +0100 +++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-25 19:07:16.661745962 +0100 @@ -70,6 +70,8 @@ cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript cryptkeyslot="" + cryptkeyfilesize="" + cryptkeyfileoffset="" crypttries=3 crypttcrypt="" cryptveracrypt="" @@ -124,6 +126,12 @@ keyslot=*) cryptkeyslot=${x#keyslot=} ;; + keyfile-size=*) + cryptkeyfilesize=${x#keyfile-size=} + ;; + keyfile-offset=*) + cryptkeyfileoffset=${x#keyfile-offset=} + ;; tries=*) crypttries="${x#tries=}" case "$crypttries" in @@ -152,7 +160,7 @@ VALUE="${x#*=}" fi CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" - eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\"" done export CRYPTTAB_OPTIONS @@ -288,6 +296,12 @@ if [ -n "$cryptkeyslot" ]; then cryptopen="$cryptopen --key-slot=$cryptkeyslot" fi + if [ -n "$cryptkeyfilesize" ]; then + cryptopen="$cryptopen --keyfile-size=$cryptkeyfilesize" + fi + if [ -n "$cryptkeyfileoffset" ]; then + cryptopen="$cryptopen --keyfile-offset=$cryptkeyfileoffset" + fi if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-" elif [ "$crypttcrypt" = "yes" ]; then