Hey Marc, On 24/02/2011 Marc Haber wrote: > On Thu, Feb 24, 2011 at 12:13:22PM +0100, Jonas Meurer wrote: > > On 25/10/2010 Marc Haber wrote: > > > I have a system where the keyscript used to unlock the root fs needs > > > another crypto file system to be unlocked previously. To do that, I > > > would like to have that file system added to conf.d/cryptsetup, and to > > > do that, I'd have to go though pretty much the same motions that > > > /usr/share/initramfs-tools/hooks/cryptroot already does. > > > > > > Please consider adding a method to have your hook script handle > > > additional devices other than the root and the resume devices. It > > > would be necessary to set some marker to tell the hook script to > > > handle that device as well. Searching /etc/fstab would probably not be > > > appropriate since my device will unmounted and locked again after the > > > root was mounted. > > > > > > Having the device in crypttab, specially marked, would probably be ok. > > > > > > Please indicate how you would like to tell the hook script about > > > additional devices to handle, and I'll provide a patch. > > > > What kind of device are you talking about? Another dm-crypt encrypted > > device which contains the key? > > Nearly. It's another dm-crypt encrypted device which contains part of > the key, which needs to be unlocked before the keyscript that is used > to unlock the root fs can build the key for the root fs. > > > If this is just about additional dm-crypt devices, which should be > > unlocked in initramfs along with the root and suspend devices, > > This additional dm-crypt device needs to be successfully unlocked > before the unlock process for the root and suspend devices can start. > Order is important because before the additional device isn't open, > there ain't a complete key to unlock root.
To be honest, this sounds like a rather special setup to me. I not sure whether supporting more random custom setups justifies more and more crypttab options. Your setup sounds like a keyscript would be the perfect solution for you. Why not simply write a keyscript which does all preliminary steps and outputs the key? You could even patch the passdev keyscript (it is designed to fetch a key from some external device) to support encrypted devices. I'm happy to add new and/or patched keyscripts to the debian package, given that they're generally useful. greetings, jonas
signature.asc
Description: Digital signature
