[pkg-cryptsetup-devel] Several minor questions (hopefully) ;)

Christoph Anton Mitterer calestyo at scientia.net
Sat Dec 13 23:33:55 UTC 2008


Hi folks.

I'm still (from time to time) working on some keyscripts for OpenPGP
encrypted dm-crypt/LUKS-keys and I'd have some minor questions about how
things are intended to work:

1) The askpass binary, ... is it intended to be always used when entering
passwords? I mean regardless whether from initramdisk or normal system?
   Is it guaranteed that it will be always available at the same location
(/lib/cryptsetup/askpass) for both, initramdisk and normal system?
   Is it guaranteed that even in future versions of the cryptsetup-package
you'll include it in the initramdisk via the cryptroot-hook?

2) Can help functions like log_success_msg, panic, etc. also be used from
keyscripts, and if so from both initramdisk and normal system? (I suppose
not.)

3) Would it be possible to move the location from the keyscripts within the
iniramdisk to the same location as in the normal system? I mean from
/keyscripts/ to /lib/cryptsetup/scripts/. Would be more consistent IMHO,
and might be of advantage when you look for these files from other scripts
or so.

4) It seems that when I specify something like keyscript=decrypt_ssl in
crypttab this works from initramdisk, but not from normal system (it
complains that it doesn't find the script). Could this be a bug? Perhaps
it's also "related" to 3).

5) The cryptpassdev hook mentions a mountdev script. I'd like to have a
look at it but cannot find it :-(

6) What's the proper/intended way for hooks to get configuration settings?
   The idea behind this is the following, I have a hook that adds gnupg to
the initramdisk and a keyscript that uses it. But there are two versions of
gnupg (gnupg and gnupg2). In the "near future" these packages will use the
alternatives mechanism (see bug #503921). Per default I'd like to include
the gpg selected by the alternatives mechanism but it would be nice to let
the user force the use of gnupg1 or gnupg2 (regardless of the selected
alternative).
   Should I just look for some configuration file in /etc/defaults or do
you have any better idea?

7) What are the duties of a keyscript? Is it just plain decrypting and
reporting whether this was successful (exit 0) or not (exit 1) or also
retries, timeouts, etc? Or is this handled "above"?

Thanks so far for your help :-)

Best wishes from Munich,
Chris.



More information about the pkg-cryptsetup-devel mailing list