Bug#394134: [Pkg-cryptsetup-devel] Bug#394134: cryptsetup: does not
open luks partitions with filekeys during boot
Jonas Meurer
jonas at freesources.org
Sat Oct 21 18:15:07 UTC 2006
On 20/10/2006 Evgeni Golov wrote:
> > could you elaborate on this? what is the exact line in /etc/crontab,
> crypttab you mean ;-) ^^^^^^^
hehe, you're correct ;-)
> # <target name> <source device> <key file> <options>
> home /dev/sda6 /media/usbstick/keyfile-shinkupaddo.luks luks
>
> > and what is the exact output by '/etc/init.d/cryptsetup start'?
>
> # /etc/init.d/cryptdisks start
> Starting remaining crypto disks...STICK!
> home(starting)
> - INSECURE MODE FOR /media/usbstick/keyfile-shinkupaddo.luks
> done.
where does this "STICK!" come from?
which version of cryptsetup did you use before? i believe that this was
1.0.4~rc2-1 because 1.0.4-1 introduced 'set -e' for the initscript.
> > also, how are permissions of the keyfile?
>
> the keyfile is on a vfat usb-stick, permissions are:
> # ls -alh /media/usbstick/keyfile-shinkupaddo.luks
> -rwxr-xr-x 1 root root 256 2006-08-28
> 09:08 /media/usbstick/keyfile-shinkupaddo.luks
>
> Because of this I get the insecure more message (as I did in prior
> versions too, but there the luks partotion was open after that)
> As I understand, the behavior should be "give warning, but
> continue" (check_key || continue) - am I right?
no, 'check_key || continue' actually says 'continue with the next device
if check_key fails.
i wonder whether this was different in the past.
anyway it's not unusual to keep the key on a vfat usb-stick, so
cryptsetup should be able to cope with this situation.
maybe the permission check should include a check for filesystems
which do not support file permissions, and go on with a warning in these
cases.
...
jonas
More information about the Pkg-cryptsetup-devel
mailing list