Bug#394134: [Pkg-cryptsetup-devel] Bug#394134: cryptsetup: does not open luks partitions with filekeys during boot

Evgeni Golov sargentd at die-welt.net
Sat Oct 21 18:41:13 UTC 2006 

On Sat, 21 Oct 2006 20:15:07 +0200 Jonas Meurer <jonas at freesources.org>
wrote:

> > # /etc/init.d/cryptdisks start
> > Starting remaining crypto disks...STICK!
> >  home(starting)
> >  - INSECURE MODE FOR /media/usbstick/keyfile-shinkupaddo.luks
> > done.
> 
> where does this "STICK!" come from?

Heh, ups, thats from my 'echo "STICK!"; read' in do_mounts, because I
need a delay for loading the usb-storage etc. 
 
> which version of cryptsetup did you use before? i believe that this
> was 1.0.4~rc2-1 because 1.0.4-1 introduced 'set -e' for the
> initscript.

dpkg.log says:
upgrade cryptsetup 2:1.0.4~rc2-1 2:1.0.4-2 (and afterwards to -3)
so you're correct.

> > > also, how are permissions of the keyfile?
> > 
> > the keyfile is on a vfat usb-stick, permissions are:
> > # ls -alh /media/usbstick/keyfile-shinkupaddo.luks
> > -rwxr-xr-x 1 root root 256 2006-08-28
> > 09:08 /media/usbstick/keyfile-shinkupaddo.luks
> > 
> > Because of this I get the insecure more message (as I did in prior
> > versions too, but there the luks partotion was open after that)
> > As I understand, the behavior should be "give warning, but
> > continue" (check_key || continue) - am I right?
> 
> no, 'check_key || continue' actually says 'continue with the next
> device if check_key fails.
> i wonder whether this was different in the past.

It worked with rc2, the warning came and partition was opened. But I
dunno why ;-)

> anyway it's not unusual to keep the key on a vfat usb-stick, so
> cryptsetup should be able to cope with this situation.
> 
> maybe the permission check should include a check for filesystems
> which do not support file permissions, and go on with a warning in
> these cases.

Yep, that's a good idea.
Another one I had: check if mountpoint is inside /media/ and wait for
user action (inserting stick and waing for driver) which is now done by
my 'read', because identifying the usb stick on boot is too slow and
mounting fails. Isn't related to this "bug" but would be nice ;)

Regards
Evgeni

More information about the Pkg-cryptsetup-devel mailing list