[pkg-cryptsetup-devel] Bug#996181: cryptsetup-initramfs: Unable to use keyfile to decrypt rootfs

Guilhem Moulin guilhem at debian.org
Mon Oct 11 22:11:44 BST 2021


Control: severity -1 wishlist

Hi,

On Mon, 11 Oct 2021 at 22:28:31 +0200, Mateusz Jończyk wrote:
> Currently, it is not possible to use a keyfile to decrypt the root
> file system. I would like to use such a setup, so I'm attaching a
> short patch for crypttab to make this work.

IMHO this is too use-case specific and on most setups it'd just lock
users out of their system, so I'm reluctant to adopt this.

> Using a keyfile on the first volume to decrypt the second one does not
> make it necessary to type the password twice on boot.
> […]
> Probably the best solution would be to allow decrypting more then one
> LUKS container with a single password. This will also make converting
> existing systems to encrypted storage easier. I'll try to add relevant
> support to cryptsetup-initramfs and post a separate patch.

We already have solutions for this, see
/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz §9 and §10, as
well /usr/share/doc/cryptsetup/README.keyctl.  (For LUKS2 one can also
use the builtin kernel keyring support, but one one need to workaround
the password prompt.)

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20211011/f97d1463/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list