Bug#786393: Workaround to keep systemd-cryptsetup-generator from decrypt an already mounted root device throught Debian /etc/crypttab keyscript
Pier Paolo Franco
pierpaolo.franco at gmail.com
Sat Aug 6 14:36:37 BST 2016
After some googling i derived an ugly keyscript for /etc/crypttab to
decrypt root disk (as per standard wholedisk encryption Debian install).
I manage to prevent the 90s delay annoyance hardcoding the device uuid in
the script instead of in the crypttab file.
This consent to plain aptitude updates (without the need to change
/etc/crypttab at any update-initramfs) and somehow prevent systemd magic. I
hope it will also permit subsequent systemd crypto logic.
Note that I use a raw (unpartitioned) usb stick to hold the key, and in its
absence the keyscript nicely fallback to cryptsetup askpass cli.
It shouldn't be too difficult to extend the script for more complex
solutions (eg. deriving correct device uuid and/or seek key position from
crypto mapper name).
~$ cat /etc/crypttab
<CryptName> UUID=<ROOTID> none luks,discard,keyscript=/opt/
passphrase-from-usb
~$ cat /opt/passphrase-from-usb
#!/bin/sh
set -e
CRYPTTAB_KEY="/dev/disk/by-id/<usb-UUID>"
if ! [ -e /root/passphrase-from-usb-done ]; then
touch /root/passphrase-from-usb-done
if [ -e "$CRYPTTAB_KEY" ]; then
echo "Unlocking $CRYPTTAB_NAME..." >&2
dd if="$CRYPTTAB_KEY" bs=1 skip=<KEYSKIP> count=<KEYCOUNT>
2>/dev/null
exit
fi
fi
/lib/cryptsetup/askpass "Enter passphrase: "
Thanks.
ppf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20160806/3bbeba9b/attachment.html>
More information about the Pkg-systemd-maintainers
mailing list