Bug#786393: Workaround to keep systemd-cryptsetup-generator from decrypt an already mounted root device throught Debian /etc/crypttab keyscript
Pier Paolo Franco
pierpaolo.franco at gmail.com
Sat Aug 6 14:36:37 BST 2016
After some googling i derived an ugly keyscript for /etc/crypttab to
decrypt root disk (as per standard wholedisk encryption Debian install).
I manage to prevent the 90s delay annoyance hardcoding the device uuid in
the script instead of in the crypttab file.
This consent to plain aptitude updates (without the need to change
/etc/crypttab at any update-initramfs) and somehow prevent systemd magic. I
hope it will also permit subsequent systemd crypto logic.
Note that I use a raw (unpartitioned) usb stick to hold the key, and in its
absence the keyscript nicely fallback to cryptsetup askpass cli.
It shouldn't be too difficult to extend the script for more complex
solutions (eg. deriving correct device uuid and/or seek key position from
crypto mapper name).
~$ cat /etc/crypttab
<CryptName> UUID=<ROOTID> none luks,discard,keyscript=/opt/
~$ cat /opt/passphrase-from-usb
if ! [ -e /root/passphrase-from-usb-done ]; then
if [ -e "$CRYPTTAB_KEY" ]; then
echo "Unlocking $CRYPTTAB_NAME..." >&2
dd if="$CRYPTTAB_KEY" bs=1 skip=<KEYSKIP> count=<KEYCOUNT>
/lib/cryptsetup/askpass "Enter passphrase: "
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pkg-systemd-maintainers