I am pleased to announce that I now have something working. It is for my use case of usb drives and not congregating share holders entering the tokens at the keyboard. That use case will take just a little bit more doing.
High level: I look for cmdline arguments rd.luks.ssss.key or rd.luks.ssss.list. The former you specify at least t times (t being the ssss threshold). The latter points to a file containing a list of arguments as you would put them into the former. For now that file has to live within the initramfs. It's not precise that rd.luks.ssss.key has to be specified at least t times. It is the same logic as rd.luks.key, that is path:device:luksdev, where only path is necessary. If only path is specified, and t devices have a share at path, then the one argument does suffice. e.g. udev will search each discovered device for path, and pull out the token if it is there. I also put the option for t in /etc/crypttab, as it can be tied to a device there. It would be easy to add a cmdline option for it as well, perhaps with rd.luks.ssss.threshold=3:luks_root, for example (luks_root being the device mapper name for the unlocked volume, I *think* that's the right one to use) Low level: If you are familiar with dracut's initramfs, the files I have modified are: /sbin/cryptroot-ask - where I hijacked into the rd.luks.key and the crypttab keyfile (third argument) logic /lib/dracut-crypt-lib.sh - where I modified the getkey function to return more than one key (ssss token) when needed (for ssss, obviously) new files: /lib/dracut/hooks/cmdline/10parse-ssssdev.sh - a near copy of 10parse-keydev.sh, which writes the udev rules to pull tokens from detected devices /sbin/probe-ssssdev - a near copy of probe-keydev, which is actually what the udev rules call to do the real work of extracting tokens /bin/ssss-combine - of course /bin/xxd - this is to use ssss-combine with the -x option (which outputs a binary secret encoded in hex, xxd reverses it back to binary) /lib64/libgmp.so.10.0.2 (and its symlinks) - dependency for ssss-combine I did this against fedora, so a patch probably doesn't make sense yet ? I do plan on getting something up here codewise, though. PLEASE feel free to bother me if I drop it through the cracks or otherwise take too long. :) v...@fugal.net -- Get the hell out of my way! -- John Galt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
