FS#42851 - [cryptsetup] Add support for detached LUKS header to encrypt hook

Attached to Project: Arch Linux
Opened by Florian Wickert (float) - Wednesday, 19 November 2014, 19:04 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:22 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No

Details

Since cryptsetup 1.4.0 there is an argument called --header that allows detached LUKS headers.
This can be used for two-factor encryption and deniability.

The attached patch adds a new kernel command line argument called cryptheader which is implemented and used almost the same way as cryptkey is:
cryptheader=<dev>:<fstype>:<header_file>
It does not add detached header support to crypttab however.

This has been discussed in e.g. https://bbs.archlinux.org/viewtopic.php?pid=1475265
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:22 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/cryptsetup/issues/7
Comment by John Lane (starfry) - Wednesday, 17 December 2014, 13:22 GMT
A minor detail, but there is an inconsistency between how this patch works and when the header is on the "rootfs" and the similar keyfile functionality. This patch requires a syntax of "rootfs::path" whereas the keyfile uses a more sensible "rootfs:path". This can be resolved by amending line 26 of the patch from "cheaderfile=$chpath" to "cheaderfile=$chfs".
"
Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:02 GMT
I needed the same functionality, went about it a bit different. Decided to take header=... from $cryptoptions. Allows the user to choose the name of the header file. Not very important, this was just the first thing I thought of. It does give a smaller patch though.

No matter how it's done precisely, it would be nice to have this feature in hook.
Comment by Maarten de Vries (de-vri-es) - Saturday, 10 October 2015, 12:08 GMT
Ah, looks like the original patch supports header files on other file systems too. So that seems better.
Comment by Eli Schwartz (eschwartz) - Monday, 06 November 2017, 06:37 GMT
ping new maintainer...
Comment by nl6720 (nl6720) - Friday, 03 April 2020, 17:09 GMT
  • Field changed: Percent Complete (100% → 0%)
This is still an issue.
Comment by Maxim Baz (maximbaz) - Thursday, 03 September 2020, 23:14 GMT
I adapted the proposed patch to match exactly how the hook deals with `cryptkey` parameter today - this adds support for a block device in addition to file on a device, and achieves full syntax consistency.

I also put it on AUR and intend to keep it up-to-date with future changes to the upstream hook until this issue gets fixed.

https://aur.archlinux.org/packages/mkinitcpio-encrypt-detached-header/
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...