[pkg-cryptsetup-devel] Bug#994028: cryptsetup: manpage improvements

Christoph Anton Mitterer calestyo at scientia.net
Fri Sep 10 03:49:00 BST 2021 

Package: cryptsetup
Version: 2:2.4.0-1
Severity: wishlist


Hi.

I think the following might be improved in the crypttab(5) manpage:

1) discard
Apart from the fact that I think it's a pretty bad idea to enable
this per default (security wise, and especially since more recent
SSD allegedly no longer benefit so much from TRIM, if at all)...

It should be made more clear, that the installer simply adds the option
to crypttab (and there is no hidden changed default in Debian's
cryptsetup binary).
Perhaps if you just add a sentence, that it's enough to remove the
flag from crypttab if someone doesn't want it?



2) For options like check=<check> or tmp=<tmpfs> my understanding is
that if one just adds "tmp" or "check", then and only then it's enabled
with the mentioned default (e.g "ext4" and blkid).

It should be made more clear that the default is only about the *value*
if no =<value> is given, and not about the flag itself.
I.e. "tmp" means actually "tmp=ext4" but no "tmp" at all, doesn't mean
that "tmp" is implicitly set to "ext4".



3) loud
"Be loud. Print warnings if a device does not exist. This option overwrites the option loud."
=> should probably read that it overwrites "quiet"?



4) keyscript=
           WARNING: With systemd as init system, this option might be ignored.
           At the time this is written (December 2016), the systemd cryptsetup
           helper doesn't support the keyscript option to /etc/crypttab. For
           the time being, the only option to use keyscripts along with
           systemd is to force processing of the corresponding crypto devices
           in the initramfs. See the 'initramfs' option for further
           information.

Not sure but that seems a bit misleading:
Even *with* systemd that option is not ignored, at least not by e.g. the cryptsetup
package and it's tools itself.
So I can just happily use my own keyscript *outside of the initramfs* with e.g.
cryptdisk_st* .

What does not work is systemd's own cryptsetup support stuff.

It may make sense to advise people that there is the 'luks.crypttab=no'
kernel command line option, as described in systemd-cryptsetup-generator(8),
which causes systemd to ignore any device configured in /etc/crypttab:
       luks.crypttab=, rd.luks.crypttab=
           Takes a boolean argument. Defaults to "yes". If "no", causes the
           generator to ignore any devices configured in /etc/crypttab
           (luks.uuid= will still work however).  rd.luks.crypttab= is honored
           only by initial RAM disk (initrd) while luks.crypttab= is honored
           by both the main system and the initrd.


Cheers,
Chris.

More information about the pkg-cryptsetup-devel mailing list