[Bug 1494851] Re: initramfs cryptroot hook script doesn't install cryptsetup if keyfile but no keyscript

TJ ubuntu at iam.tj
Mon Sep 14 04:13:14 UTC 2015 

Instead of simply warning the user I've developed an alternative
approach which does away with the problem entirely.

In this solution I alter the initramfs 'cryptroot' script to support
unlock using the keyfile. Currently it will only do that if supported by
a keyscript but the two are actually orthogonal.

If a keyscript is specified the keyfile will be available to it via the
environment CRYPTTAB_KEY as usual.

The new feature:

If a keyfile is not specified $cryptkey will contain "-" (for
/dev/stdin) and 'cryptsetup' will receive the output of the
$cryptkeyscript 'askpass' executable's /dev/stdout as usual.

If a keyfile is specified without a keyscript 'cryptroot' will pass it
to 'cryptsetup' via --key-file $cryptkey.


** Patch added: "Initramfs: use keyfile without keyscript"
   https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1494851/+attachment/4463643/+files/initramfs-use-keyfile-without-keyscript.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1494851

Title:
  initramfs cryptroot hook script doesn't install cryptsetup if keyfile
  but no keyscript

Status in cryptsetup package in Ubuntu:
  In Progress

Bug description:
  When crypttab specifies a key-file for the container of the root file-
  system but there is no keyscript= option no cryptsetup support is
  installed in the initrd.img.

  Currently the cryptroot initramfs hook script knows its a problem and
  will report:

  cryptsetup: WARNING: target LUKS_OS uses a key file, skipped

  This is BAD behaviour that renders the root file-system container
  inaccessible at boot time.

  Regardless of a key-script being available cryptsetup support should
  be installed into the initrd.img to enable the user to take manual
  steps to unlock the container. The hook script has no knowledge about
  pass phrases that might be set in other LUKS slots that are available
  to the user.

  This is the behaviour when a keyscript is specified but doesn't exist.

  The attached patch modifies the behaviour to include cryptsetup in the
  initrd.img and modify the warning to the user.

  cryptsetup: WARNING: target LUKS_OS uses a key file, but no keyscript
  is set. Please ensure there is also a typed pass-phrase set.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1494851/+subscriptions

More information about the foundations-bugs mailing list