[Pkg-cryptsetup-devel] Bug#487256: Bug#487256: cryptsetup: add dep-scripts option to crypttab

Jonas Meurer jonas at freesources.org
Sat Jun 21 11:20:27 UTC 2008


On 20/06/2008 Christoph Anton Mitterer wrote:
> I'd like to have something like a dep-scripts=script1,script2,... option
> added to crypttab and supported all of by cryptsetup's hooks/scripts
> from and for the initrd and the normal boot-scripts and so on ...
> 
> The meaning should be the following:
> Bevor the keyscript is invoked with the key-file as its parameter, all
> dep-scripts are invoked in order.
> 
> The main idea behind this is,.. that the dep-scripts could do tasks
> like:
> - mount the filesystem where you find the key-file
>   (That's my main-reason, as I need all this in the initrd of an USB
> stick from which I boot, and the USB-stick must be mounted in order to
> have access to the keyfile. I don't want to put the key file in the
> initrd itself)
> - kill unsecure applications that might otherwise get access to the
> keyfile
> - etc.
> 
> Any ideas?
> 
> I also thought about making this an parameter to the key-script itself,
> but I don't think that making the key-file available is the key-scripts
> task, is it?

I would say that exactly this is what keyscripts are for. Do anything
that is needed to make the keyfile/passphrase available to cryptsetup.

And I don't think that yet another option should be added to crypttab,
it's already to bloated. You should really implement such tasks in your
keyscripts directly.

Also if you need to mount a device to read the key from, passdev, a
keyscript recently added to the cryptsetup package and developed by
David is your friend. Please see README.initramfs section 10. The
"passdev" keyscript for more information.

greetings,
 jonas





More information about the Pkg-cryptsetup-devel mailing list