From 6f0edd077f93647c2c174a3f4efb7ba32563bd67 Mon Sep 17 00:00:00 2001
From: Florian Wickert <flo.at@gmx.de>
Date: Wed, 19 Nov 2014 19:09:18 +0100
Subject: [PATCH 1/1] add support for detached LUKS header to encrypt hook

Signed-off-by: Florian Wickert <flo.at@gmx.de>
---
 cryptsetup/trunk/encrypt_hook | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/cryptsetup/trunk/encrypt_hook b/cryptsetup/trunk/encrypt_hook
index 819c4cf..4c81055 100644
--- a/cryptsetup/trunk/encrypt_hook
+++ b/cryptsetup/trunk/encrypt_hook
@@ -33,6 +33,29 @@ EOF
         [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
     fi
 
+    # support detached headers
+    cheaderfile="/crypto_header"
+    if [ -n "$cryptheader" ]; then
+        IFS=: read chdev chfs chpath <<EOF
+$cryptheader
+EOF
+        if [ "$chdev" = "rootfs" ]; then
+            cheaderfile=$chpath
+        elif resolved=$(resolve_device "${chdev}" ${rootdelay}); then
+            # Use a file on the device
+            mkdir /cheader
+            mount -r -t "$chfs" "$resolved" /cheader
+            dd if="/cheader/$chpath" of="$cheaderfile" >/dev/null 2>&1
+            umount /cheader
+        fi
+
+        if [ -f ${cheaderfile} ]; then
+            cryptargs="${cryptargs} --header ${cheaderfile}"
+        else
+            echo "Detached header could not be opened. Ignoring."
+        fi
+    fi
+
     if [ -n "${cryptdevice}" ]; then
         DEPRECATED_CRYPT=0
         IFS=: read cryptdev cryptname cryptoptions <<EOF
@@ -61,7 +84,7 @@ EOF
     done
 
     if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
-        if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+        if (cryptsetup isLuks ${resolved} >/dev/null 2>&1 || cryptsetup isLuks ${cheaderfile} >/dev/null 2>&1); then
             [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
             dopassphrase=1
             # If keyfile exists, try to use that
@@ -133,7 +156,7 @@ EOF
             err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
         fi
     fi
-    rm -f ${ckeyfile}
+    rm -f ${ckeyfile} ${cheaderfile}
 }
 
 # vim: set ft=sh ts=4 sw=4 et:
-- 
2.1.3