[pkg-cryptsetup-devel] Bug#867850: cryptsetup: Feature Request: Parallel unlock via keyfile or password on boot

M. Buecher maddes+debian at maddes.net
Sun Jul 9 21:50:18 UTC 2017 

Package: cryptsetup
Version: 2:1.7.3-4
Severity: wishlist

Dear Maintainer,

it would be great to have both possibilities in parallel to unlock
an encrypted root file system. 2 key slots used, one with the password
and the other with the key file.

Use cases:
* USB stick plugged in when at home
* SSH remote password when working as road warrior

Expected behaviour:
* Console/plymouth: hint about key file plus prompt for password
* SSH: cryptroot-unlock to prompt for password (as is)

Test cases:
* Correct USB stick already plugged in, direct boot of encrypted root file system
* Correct USB stick missing on boot, hint plus prompt on console/plymouth
  * Wrong USB stick inserted, no reaction
  * Correct USB stick inserted, boot of encrypted root file system
  * Password entered on console/plymouth or via SSH and cryptroot-unlock, 
    boot of encrypted root file system

Martin van Beurden already did something similar for Debian 7.8, maybe
an interesting reference to start from.
https://martinvanbeurden.nl/blog/luks-unlock-with-ssh-or-usb/

Regards
Maddes


-- Package-specific info:

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cryptsetup depends on:
ii  cryptsetup-bin         2:1.7.3-4
ii  debconf [debconf-2.0]  1.5.61
ii  dmsetup                2:1.02.137-2
ii  libc6                  2.24-11+deb9u1

Versions of packages cryptsetup recommends:
ii  busybox                                 1:1.22.0-19+b3
ii  console-setup                           1.164
ii  initramfs-tools [linux-initramfs-tool]  0.130
ii  kbd                                     2.0.3-2+b1

Versions of packages cryptsetup suggests:
pn  dosfstools              <none>
pn  keyutils                <none>
ii  liblocale-gettext-perl  1.07-3+b1

-- debconf information:
  cryptsetup/prerm_active_mappings: true

More information about the pkg-cryptsetup-devel mailing list