[pkg-cryptsetup-devel] Bug#866786: unlock all crypto devices in cryptroot-unlock (remote SSH-based unlocking)
Guilhem Moulin
guilhem at debian.org
Tue Jul 4 17:02:24 UTC 2017
On Tue, 04 Jul 2017 at 10:47:36 -0400, Antoine Beaupré wrote:
> On 2017-07-04 10:34:04, Guilhem Moulin wrote:
>> On Mon, 03 Jul 2017 at 19:08:52 -0400, Antoine Beaupré wrote:
>>> thanks, i guess this is done? or do we need to document the "initramfs"
>>> tag in crypttab better?
>>
>> Anything in particular you have in mind? crypttab(5) currently reads:
>>
>> initramfs
>> The initramfs hook processes the root device, any resume devices
>> and any devices with the “initramfs” option set. These devices
>> are processed within the initramfs stage of boot. As an
>> example, that allows the use of remote unlocking using dropbear.
>
> I did see that, but only after you mentioned it. I guess the problem is
> the documentation is kind of split up all over the place.
Fair enough, the documentation needs some love… Your setup is probably
not very common but if other DDs have trouble with our docs I'm not too
hopeful about wider adoption :-(
> There's that README.Debian, then there's:
>
> * /usr/share/doc/cryptsetup/README.initramfs.gz
> * "Some keyscripts have an own README file at
> /usr/share/doc/cryptsetup/"
> * crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8)
> * /usr/share/doc/cryptsetup/FAQ.gz
> * /usr/share/doc/dropbear-initramfs/README.initramfs
>
> Which one is relevant here? Probably the last one? Who knows! :)
Yup, and it contains the following paragraph:
Unlocking procedure
-------------------
You can unlock your rootfs on bootup remotely, using SSH to log in to
the booting system while it's running with the initramfs mounted.
Consult cryptsetup's /usr/share/doc/cryptsetup/README.Debian section 8
for details.
> In this case, I should have read README.initramfs and crypttab(5) but
> even the latter is not clearly outlined in Sec. 8 of the
> README.Debian...
Alright, I think I understood the source of the confusion now. I'll add
a paragraph to clarify that in Sec. 8 applies to any device unlocked at
initramfs stage, not only the root device; and that to force the device
to be unlocked at initramfs stage one might need to add the 'initramfs'
option to its crypttab(5) entry. I'll think about the wording over
night ;-) Anyway, this is beyond of the scope of this bug.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20170704/a28f9590/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list