[pkg-cryptsetup-devel] Bug#610750: Bug#610750: cryptsetup: decrypt_keyctl script needs an initramfs hook to pull in /bin/keyctl

Jonas Meurer jonas at freesources.org
Sun Jan 23 16:13:18 UTC 2011


Hey Maik,

On 22/01/2011 Maik Zumstrull wrote:
> See subject. Additionally, the key script should fall back to unlocking
> just a single device at a time if keyctl doesn't work for any reason. I'd
> rather enter the passphrase several times than be left with an
> unbootable system. Speaking of an unbootable system, that possibility might
> technically qualify this bug for "critical". I'm not setting it myself,
> but please consider it.

you're correct about the subject. the cryptkeyctl initramfs hook already
existed, I just forgot to install it into the binary package up to now.
Will be fixed with the next upload of cryptsetup.

your second point is about a fallback. so far, the cryptdisks/crypttab
implementation doesn't support fallback for failed unlocking. and in my
option it never should do so by default at all, for security reasons. I
might implement a fallback solution for keyscripts in the future, and
patches are always welcome. But this feature request is already
documented in bugreport #438481.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110123/5c019350/attachment.pgp>


More information about the pkg-cryptsetup-devel mailing list