FS#21575 - [initscripts] crypt: pre-hook for cryptsetup

Attached to Project: Arch Linux
Opened by Michael Trunner (trunneml) - Tuesday, 02 November 2010, 17:13 GMT
Last edited by Tom Gundersen (tomegun) - Wednesday, 09 November 2011, 00:37 GMT
Task Type Feature Request
Category Arch Projects
Status Closed
Assigned To Thomas Bächler (brain0)
Tom Gundersen (tomegun)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

There are some cases where it is necessaries to run several commands before running cryptsetup. For example when the key is on an usb stick and the filesystem has to be mounted.

An even more complicated case is, when the key file is encrypted, too.

With an simple script that is running before trying to run cryptsetup and namedpipes (mkfifo) it is possible to fix all these problems easily.

I attached a patch for the rc.sysinit script. With this new "feature", the following bug shouldn't be longer a real problem:

*  FS#11648 
*  FS#15016 

Additional info:
* package version(s)
core/initscripts 2010.07-1 (base) [installed]
System initialization/bootup scripts

   patch (0.6 KiB)
This task depends upon

Closed by  Tom Gundersen (tomegun)
Wednesday, 09 November 2011, 00:37 GMT
Reason for closing:  No response
Comment by Michael Trunner (trunneml) - Tuesday, 02 November 2010, 19:21 GMT
I spend some time and played around with the rc.sysinit, cryptsetup and crypttab. I think I found a much better solution. (May be I should close this feature request and open a new one?)

Anyway:
I reduced the function do_crypt to 33 lines (see attachment). The key parameter SWAP and ASK are moved to separate hook files.
do_crypt checks if if cpass is a file, if so it use it as a key file. If it is not a file, then it looks if it can find a hook with the same name in /etc/cryptsetupinit.d/.
If there is a file with that name, it calls it like that:
/etc/cryptsetupinit.d/$cpass $csrc $cname "$copts" "$CSOPEN"

CSOPEN is for the luks/non-luks parameter ordering (THX for cryptsetup X-( ).

If it even cannot find a hook, then $cpass is used as a raw password.

ASK and SWAP are implemented as a hook scripts, and working the same way as before.
Anyone that needs special key-stuff can now write a hook and add it to the directory.
Fancy-Hooks can be added by an extra package (AUR).

For extra parameters hooks should extract them from copts or load it from a separate config file.

Greez

Michael
(application/x-gzip)    initcryptsetup.tar.gz (5.1 KiB)
Comment by Tom Gundersen (tomegun) - Sunday, 19 June 2011, 17:17 GMT
@michael: thanks for your work, and sorry to take so long to react to it!

The crypto stuff is something I want to improve, and if you are interested in this, please come by #archlinux-projects to discuss it.

One of the flaws I see in our crypttab at the moment is the all the different meanings of the key field (either special words like SWAP, or ASK, or a file or a password), as well as the fact that the file is sourced and interpreted in bash, rather than considered plain-text like /etc/fstab.

As to your suggestion: while I agree that it would be nice to modularise the code a bit, I don't want to introduce the hooks concept to the crypttab file.

Having a sysinit-precrypt would be ok I guess, patches welcome on the mailinglist!

Loading...