[pkg-cryptsetup-devel] Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

Christoph Anton Mitterer calestyo at scientia.net
Sat Jul 7 00:52:46 BST 2018


Hey Guilhem.


Looks awesome at a first glance,.. I'll have a more thorough look at it
the next days...

One thing however comes just to my mind, i.e. another use case (that my
hook script would already do):

In my crypttab 3rd field, I allow some option to be included like
"include_key_in_initramfs".
That's basically a mutually exclusive alternative to the
device=...:path=... option where the keyscript loads+gpg-decrypts the
key from that device in that relative path.

As the name implies, it includes the gpg-encrypted key in the initramfs
images at their creation time (taking *just* path=... as its location
in the filesystem).
(For security reasons this is what I'd not suggest, though.)


Now when my initramfs hook copies that to the initramfs, it needs to
store it in some place where it can be later found by the keyscript.
Currently, the path is hardcoded in my hook script (only).
Until the big changes in the recent upgrades to cryptsetup, the hook
then modified the:
.../conf/conf.d/cryptroot
file to contain path=<pathWithinTheInitramfs> in the 3rd field (instead
of the original path=<pathWithinTheNormalFilesystem>.


So the use case is, that people may also wish to modify parts of the 
.../cryptroot/crypttab file from their hook scripts... and that it
could be nice to have an interface for that as well.

What do you think? :-)

Cheers,
Chris.



More information about the pkg-cryptsetup-devel mailing list