Package: cryptsetup
Version: 2:1.7.3-3
Tags: patch
Debian supports keyscript, systemd does not. Using keyscript for the root
device results either in
delays during boot or (sometimes) in boot errors.
Someone suggested to use devices + keyfile-size, keyfile-offset [1] instead.
However, the cryptroot hook does not pass those options to initramfs.
Please consider adding keyfile-size, keyfile-offset to the supported options.
[1]
https://wiki.debianforum.de/Cryptsetup_mit_systemd_und_Schlüssel_auf_externem_USB-Stick
--- /tmp/cryptsetup_1.7.3-3/lib/cryptsetup/cryptdisks.functions 2016-12-09 01:18:17.000000000 +0100
+++ /lib/cryptsetup/cryptdisks.functions 2016-12-25 19:02:23.179147532 +0100
@@ -203,6 +203,20 @@
fi
LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE"
;;
+ keyfile-size)
+ if [ -z "$VALUE" ]; then
+ log_warning_msg "$dst: no value for keyfile-size option, skipping"
+ return 1
+ fi
+ LUKSPARAMS="$LUKSPARAMS --keyfile-size $VALUE"
+ ;;
+ keyfile-offset)
+ if [ -z "$VALUE" ]; then
+ log_warning_msg "$dst: no value for keyfile-offset option, skipping"
+ return 1
+ fi
+ LUKSPARAMS="$LUKSPARAMS --keyfile-offset $VALUE"
+ ;;
tcrypthidden)
TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-hidden"
;;
@@ -213,7 +227,7 @@
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
[ -z "$VALUE" ] && VALUE="yes"
- eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
+ eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\""
done
export CRYPTTAB_OPTIONS
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/hooks/cryptroot 2016-12-09 01:18:17.000000000 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot 2016-12-25 19:03:12.954987653 +0100
@@ -444,8 +444,15 @@
resumedev)
OPTIONS="$OPTIONS,$opt"
;;
+ keyfile-size=*)
+ OPTIONS="$OPTIONS,$opt"
+ ;;
+ keyfile-offset=*)
+ OPTIONS="$OPTIONS,$opt"
+ ;;
*)
# Presumably a non-supported option
+ echo "option not supported: $opt" >&2
;;
esac
done
@@ -473,25 +480,33 @@
key="/cryptroot-keyfiles/${target}.key"
;;
*)
- key=$(readlink -e "$key")
+ # only resolve sym-links for files, not for disks
+ if [ "$key" = "${key%/dev/disk/*}" ] ; then
+ key=$(readlink -e "$key")
+ fi
# test whether $target is a root device (or parent of the root device)
if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?rootdev(,.*)?$'; then
- echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2
- return 1
+ if [ "$key" = "${key%/dev/disk/*}" ] ; then
+ echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2
+ return 1
+ else
+ echo "cryptsetup: NOTE: root target $target uses a device, $key" >&2
+ fi
# test whether a) key file is not on root fs
# or b) root fs is not encrypted
elif [ "$(stat -c %m -- "$key" 2>/dev/null)" != / ] || ! node_or_pv_is_in_crypttab $rootdevs; then
echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS, skipped" >&2
return 1
+ else
+ if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then
+ # we'll be able to decrypt the device, but won't be able to use it for resuming
+ echo "cryptsetup: WARNING: resume device $source uses a key file" >&2
+ fi
+ # prepend "/root" (to be substituted by the real root FS
+ # mountpoint "$rootmnt" in the boot script) to the
+ # absolute filename
+ key="/root$key"
fi
- if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then
- # we'll be able to decrypt the device, but won't be able to use it for resuming
- echo "cryptsetup: WARNING: resume device $source uses a key file" >&2
- fi
- # prepend "/root" (to be substituted by the real root FS
- # mountpoint "$rootmnt" in the boot script) to the
- # absolute filename
- key="/root$key"
;;
esac
OPTIONS="$OPTIONS,keyscript=cat"
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-09 01:18:17.000000000 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-25 19:07:16.661745962 +0100
@@ -70,6 +70,8 @@
cryptkeyscript=""
cryptkey="" # This is only used as an argument to an eventual keyscript
cryptkeyslot=""
+ cryptkeyfilesize=""
+ cryptkeyfileoffset=""
crypttries=3
crypttcrypt=""
cryptveracrypt=""
@@ -124,6 +126,12 @@
keyslot=*)
cryptkeyslot=${x#keyslot=}
;;
+ keyfile-size=*)
+ cryptkeyfilesize=${x#keyfile-size=}
+ ;;
+ keyfile-offset=*)
+ cryptkeyfileoffset=${x#keyfile-offset=}
+ ;;
tries=*)
crypttries="${x#tries=}"
case "$crypttries" in
@@ -152,7 +160,7 @@
VALUE="${x#*=}"
fi
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
- eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
+ eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\""
done
export CRYPTTAB_OPTIONS
@@ -288,6 +296,12 @@
if [ -n "$cryptkeyslot" ]; then
cryptopen="$cryptopen --key-slot=$cryptkeyslot"
fi
+ if [ -n "$cryptkeyfilesize" ]; then
+ cryptopen="$cryptopen --keyfile-size=$cryptkeyfilesize"
+ fi
+ if [ -n "$cryptkeyfileoffset" ]; then
+ cryptopen="$cryptopen --keyfile-offset=$cryptkeyfileoffset"
+ fi
if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
elif [ "$crypttcrypt" = "yes" ]; then
