[Bug 552658] Re: Encrypted root using key-file should not require custom key-script

Launchpad Bug Tracker 552658 at bugs.launchpad.net
Wed May 23 21:47:11 UTC 2012


Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: cryptsetup (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/552658

Title:
  Encrypted root using key-file should not require custom key-script

Status in “cryptsetup” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: cryptsetup

  From Hardy through to Karmic it was necessary to use a custom
  keyscript option to unlock encrypted volumes where the unlock key
  resides on an external device, typically a USB key:

  --- /etc/crypttab ---
  root /dev/mapper/Ubuntu-Karmic_encrypted /home/tj/keyfile luks,keyscript=/usr/local/sbin/crypto-usb-key.sh
  var /dev/mapper/Ubuntu-Lucid_var_encrypted  /home/tj/keyfile luks,keyscript=/usr/local/sbin/crypto-usb-key.sh
  home /dev/mapper/Ubuntu-home /home/tj/keyfile luks,keyscript=/usr/local/sbin/crypto-usb-key.sh
  ------

  The external keyscript is responsible for ensuring the device's driver
  is loaded, that the device has 'settled', that the appropriate file-
  system driver is loaded, and then mounts the file-system and copies
  the key-file contents to STDOUT. My particular keyscript adds the key-
  file path found in "/etc/crypttab" to the mount-point (e.g. /tmp/key/)
  in order that the path in 'crypttab' is valid when the system is in
  normal operation. This simply makes locating the key-file consistent
  whether during initramfs or later.

  In Luicd it is possible to do away with the custom keyscript for
  volumes other than the root file-system by using the
  "/etc/default/cryptdisks" option:

  CRYPTDISKS_MOUNT="/media/USB"

  where there also exists in "/etc/fstab" a mount entry for the device:

  # USB key
  LABEL=USB /media/USB auto defaults 0 2

  And "/etc/crypttab" looks something like this:

  root /dev/mapper/Ubuntu-Lucid_encrypted /home/tj/keyfile luks,keyscript=/usr/local/sbin/crypto-usb-key.sh
  var /dev/mapper/Ubuntu-Lucid_var_encrypted /media/USB/home/tj/keyfile luks
  home /dev/mapper/Ubuntu-home /media/USB/home/tj/keyfile luks

  However, I've not been able to discover a way to use cryptsetup's non-
  custom scripts and configuration to have it unlock the encrypted root
  file-system. In particular, I found that removing the "keyscript="
  option results in *no* "/conf/conf.d/cryptroot" file in the initramfs
  image and therefore the system fails to start and is not manually
  recoverable from the busybox shell.

  My feeling is that cryptsetup should still create
  "/conf/conf.d/cryproot". Additionally, cryptsetup should have the
  'knowledge' to mount an external device containing the key-file by
  analysing 'fstab' and 'crypttab' during the initramfs phase in the
  same way it does for the later encrypted volumes.

  The benefit of this facility would be to do away with the need to test
  (every 6 months for each new release) the custom keyscript and figure
  out changes to fix bugs (e.g. Lucid doing away with usplash in favour
  of plymouth means the keyscript code to write messages to console or
  usplash have to be rewritten to work with plymouth, which means
  learning how plymouth works).

  It would also introduce an "It Just Works" solution to what is still a
  quite complicated scenario.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/552658/+subscriptions




More information about the foundations-bugs mailing list