FS#42851 : [cryptsetup] Add support for detached LUKS header to encrypt hook

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Attached to Project: Arch Linux
Opened by Florian Wickert (float) - Wednesday, 19 November 2014, 19:04 GMT
Last edited by freswa (frederik) - Friday, 03 April 2020, 17:09 GMT

Task Type	Feature Request
Category	Packages: Core
Status	Assigned Reopened
Assigned To	Christian Hesse (eworm)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	9 Maxim Baz (maximbaz) (2020-09-03) nl6720 (nl6720) (2017-11-05) Alden B. Rogers (albiro) (2016-09-15) trendkiller (trendkiller) (2016-06-26) Tobias Röttger (toroettg) (2015-10-09) Pierre Carru (pierrec) (2015-08-08) Henrique Abreu (hgabreu) (2014-12-09) John Lane (starfry) (2014-12-09) Florian Wickert (float) (2014-11-20)
Private	No

Details

Since cryptsetup 1.4.0 there is an argument called --header that allows detached LUKS headers.
This can be used for two-factor encryption and deniability.

The attached patch adds a new kernel command line argument called cryptheader which is implemented and used almost the same way as cryptkey is:
cryptheader=<dev>:<fstype>:<header_file>
It does not add detached header support to crypttab however.

This has been discussed in e.g. https://bbs.archlinux.org/viewtopic.php?pid=1475265

0001-add-support-for-detached... (2.2 KiB)

This task depends upon

Comments (6)
Related Tasks (0/0)

Comment by John Lane (starfry) - Wednesday, 17 December 2014, 13:22 GMT

A minor detail, but there is an inconsistency between how this patch works and when the header is on the "rootfs" and the similar keyfile functionality. This patch requires a syntax of "rootfs::path" whereas the keyfile uses a more sensible "rootfs:path". This can be resolved by amending line 26 of the patch from "cheaderfile=$chpath" to "cheaderfile=$chfs".
"

Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:02 GMT

I needed the same functionality, went about it a bit different. Decided to take header=... from $cryptoptions. Allows the user to choose the name of the header file. Not very important, this was just the first thing I thought of. It does give a smaller patch though.

No matter how it's done precisely, it would be nice to have this feature in hook.

detached-luks-header.diff (1.2 KiB)

Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:08 GMT

Ah, looks like the original patch supports header files on other file systems too. So that seems better.

Comment by Eli Schwartz (eschwartz) - Monday, 06 November 2017, 06:37 GMT

ping new maintainer...

Comment by nl6720 (nl6720) - Friday, 03 April 2020, 17:09 GMT

Field changed: Percent Complete (100% → 0%)

This is still an issue.

Comment by Maxim Baz (maximbaz) - Thursday, 03 September 2020, 23:14 GMT

I adapted the proposed patch to match exactly how the hook deals with `cryptkey` parameter today - this adds support for a block device in addition to file on a device, and achieves full syntax consistency.

I also put it on AUR and intend to keep it up-to-date with future changes to the upstream hook until this issue gets fixed.

https://aur.archlinux.org/packages/mkinitcpio-encrypt-detached-header/

support-detached-header.patch (2.3 KiB)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Arch Linux

FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Details

Loading...