FS#42851 : [cryptsetup] Add support for detached LUKS header to encrypt hook

FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Attached to Project: Arch Linux
Opened by Florian Wickert (float) - Wednesday, 19 November 2014, 19:04 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:22 GMT

Task Type	Feature Request
Category	Packages: Core
Status	Closed
Assigned To	Christian Hesse (eworm)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	9 Maxim Baz (maximbaz) (2020-09-03) nl6720 (nl6720) (2017-11-05) Alden B. Rogers (albiro) (2016-09-15) trendkiller (trendkiller) (2016-06-26) Tobias Röttger (toroettg) (2015-10-09) Pierre Carru (pierrec) (2015-08-08) Henrique Abreu (hgabreu) (2014-12-09) John Lane (starfry) (2014-12-09) Florian Wickert (float) (2014-11-20)
Private	No

Details

Since cryptsetup 1.4.0 there is an argument called --header that allows detached LUKS headers.
This can be used for two-factor encryption and deniability.

The attached patch adds a new kernel command line argument called cryptheader which is implemented and used almost the same way as cryptkey is:
cryptheader=<dev>:<fstype>:<header_file>
It does not add detached header support to crypttab however.

This has been discussed in e.g. https://bbs.archlinux.org/viewtopic.php?pid=1475265

0001-add-support-for-detached... (2.2 KiB)

This task depends upon

Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:22 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/cryptsetup/issues/7

Comment by John Lane (starfry) - Wednesday, 17 December 2014, 13:22 GMT

A minor detail, but there is an inconsistency between how this patch works and when the header is on the "rootfs" and the similar keyfile functionality. This patch requires a syntax of "rootfs::path" whereas the keyfile uses a more sensible "rootfs:path". This can be resolved by amending line 26 of the patch from "cheaderfile=$chpath" to "cheaderfile=$chfs".
"

Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:02 GMT

I needed the same functionality, went about it a bit different. Decided to take header=... from $cryptoptions. Allows the user to choose the name of the header file. Not very important, this was just the first thing I thought of. It does give a smaller patch though.

No matter how it's done precisely, it would be nice to have this feature in hook.

detached-luks-header.diff (1.2 KiB)

Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:08 GMT

Ah, looks like the original patch supports header files on other file systems too. So that seems better.

Comment by Eli Schwartz (eschwartz) - Monday, 06 November 2017, 06:37 GMT

ping new maintainer...

Comment by nl6720 (nl6720) - Friday, 03 April 2020, 17:09 GMT

Field changed: Percent Complete (100% → 0%)

This is still an issue.

Comment by Maxim Baz (maximbaz) - Thursday, 03 September 2020, 23:14 GMT

I adapted the proposed patch to match exactly how the hook deals with `cryptkey` parameter today - this adds support for a block device in addition to file on a device, and achieves full syntax consistency.

I also put it on AUR and intend to keep it up-to-date with future changes to the upstream hook until this issue gets fixed.

https://aur.archlinux.org/packages/mkinitcpio-encrypt-detached-header/

support-detached-header.patch (2.3 KiB)

Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT

This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Details

Loading...