[pkg-cryptsetup-devel] Bug#587222: Bug#587222: cryptsetup does not/cannot close dm-crypt devices, if root-fs is on it, but does also not warn about it

[Christoph Anton Mitterer]

On Sun, 2010-06-27 at 11:46 +0200, Milan Broz wrote:
> You cannot use luksSuspend for plain device, but you can use dmsetup.
> I described this long time ago here (probably before luksSuspend was
> even implemented)
> 
> http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/2859
> Maybe I can add some "kill key" for plain device command to
> cryptsetup?
I guess that would be nice, because then we wouldn't have to use the
underlying thingy so often directly, which is IMHO cleaner


> (The problem is that in LUKS you can check that calculated key is
> correct,
> so luksResume is possible. In plain crypt device you are simple
> providing key
> so there cannot be perfect equivalent of Resume - any key will fit and
> if
> it is not correct, you data will be corrupted later.)
Isn't that solved by our nice checkscripts which test wheter any known
filesystem was decrypted?
But this is not yet used within initramfs images, right?
And probably not at all with resume-devices...?


Nevertheless,... I got this right, the neither luksSuspend nor deleting
the key directly via dmsetup, works for root-fs, right?

So...
a) we still need to solve that
b) If e.g. Jonas would simply delete all remaining keys via dmsetup in
the end.... would we end up with data corruption (if someone
reads/writes form/to root-fs)?
c) we should try to not produce useless error messages


Cheers,
Chris.