[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: keyscript

On 01/08/2016 07:19 PM, Marc Haber wrote:
> On Fri, 8 Jan 2016 18:51:20 +0100, Christian Seiler
> <christian@iwakd.de> wrote:
>> (Warning: not thoroughly tested, code is a quick hack and awful, might
>> do unexpected things. Also not documented. Quick howto: run make, copy
>> systemd-keyscript-cryptsetup to /lib/cryptsetup/, copy keyscript-generator
>> to /lib/systemd/system-generators, do systemctl daemon-reload and hope
>> for the best. systemd-cryptsetup will still warn about 'unknown option',
>> but it should work.)
>> (Interactive scripts obviously don't work, same thing as with
>> interactive init scripts, but if you need a password you can just use
>> PASS=$(systemd-ask-password "Some Message").)
> You're amazingly constructive. I wish I had your output. Thanks!
> Will this handle a keyscript that needs to unlock another crypto LV
> which is unlocked with a a password?

Well, if the other volume (that's locked with a password) is NOT in
/etc/crypttab, it should probably work, but you need to use
systemd-ask-password to ask for the password.

So this should *probably* work in the keyscript (not tested at all):

# lv1 NOT in crypttab, NOT in /etc/fstab
systemd-ask-password --no-tty "Secret Container" \
     | cryptsetup --key-file=- open /dev/disk/by-uuid/something lv1 >&2
mount -t something /dev/mapper/lv1 /somelocation >&2

# extract the key somehow
cat /somelocation/keyfile

# (possibly)
umount /somelocation
cryptsetup close lv1

(But if there's just a single key file on an external device, then
you shouldn't need a keyscript at all with systemd. Could you
describe your setup in a bit more detail? Perhaps I can provide
you with an option that doesn't rely on keyscript=.)


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: