Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Attached to Project: Arch Linux
Opened by Florian Wickert (float) - Wednesday, 19 November 2014, 19:04 GMT
Last edited by freswa (frederik) - Friday, 03 April 2020, 17:09 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned   Reopened
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 9
Private No


Since cryptsetup 1.4.0 there is an argument called --header that allows detached LUKS headers.
This can be used for two-factor encryption and deniability.

The attached patch adds a new kernel command line argument called cryptheader which is implemented and used almost the same way as cryptkey is:
It does not add detached header support to crypttab however.

This has been discussed in e.g.
This task depends upon

Comment by John Lane (starfry) - Wednesday, 17 December 2014, 13:22 GMT
A minor detail, but there is an inconsistency between how this patch works and when the header is on the "rootfs" and the similar keyfile functionality. This patch requires a syntax of "rootfs::path" whereas the keyfile uses a more sensible "rootfs:path". This can be resolved by amending line 26 of the patch from "cheaderfile=$chpath" to "cheaderfile=$chfs".
Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:02 GMT
I needed the same functionality, went about it a bit different. Decided to take header=... from $cryptoptions. Allows the user to choose the name of the header file. Not very important, this was just the first thing I thought of. It does give a smaller patch though.

No matter how it's done precisely, it would be nice to have this feature in hook.
Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:08 GMT
Ah, looks like the original patch supports header files on other file systems too. So that seems better.
Comment by Eli Schwartz (eschwartz) - Monday, 06 November 2017, 06:37 GMT
ping new maintainer...
Comment by nl6720 (nl6720) - Friday, 03 April 2020, 17:09 GMT
  • Field changed: Percent Complete (100% → 0%)
This is still an issue.
Comment by Maxim Baz (maximbaz) - Thursday, 03 September 2020, 23:14 GMT
I adapted the proposed patch to match exactly how the hook deals with `cryptkey` parameter today - this adds support for a block device in addition to file on a device, and achieves full syntax consistency.

I also put it on AUR and intend to keep it up-to-date with future changes to the upstream hook until this issue gets fixed.