Bug#801479: cryptsetup: Please make the cryptroot initramfs script & hook honor the 'keyslot' crypttab(5) option

Sat, 10 Oct 2015 16:06:38 -0700 

Package: cryptsetup
Version: 2:1.6.6-5
Severity: wishlist

Dear Maintainer,

For LUKS devices, one can use the 'keyslot' crypttab(5) option to
specify a single key-slot to compare the passphrase against.  This can
be useful for headers with many passphrases, since comparing the supplied
passphrase against each existing keyslot can take a while.  Patch
attached.

Cheers,
-- 
Guilhem.

From eb24bcc9cec437d99f97b8403591d710e0a727ab Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guil...@guilhem.org>
Date: Sun, 11 Oct 2015 00:50:35 +0200
Subject: [PATCH] Make the cryptroot initramfs script & hook the 'keyslot'
 crypttab(5) option.

---
 cryptsetup/trunk/debian/initramfs/cryptroot-hook   | 3 +++
 cryptsetup/trunk/debian/initramfs/cryptroot-script | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/cryptsetup/trunk/debian/initramfs/cryptroot-hook b/cryptsetup/trunk/debian/initramfs/cryptroot-hook
index 82399fa..4e9b055 100644
--- a/cryptsetup/trunk/debian/initramfs/cryptroot-hook
+++ b/cryptsetup/trunk/debian/initramfs/cryptroot-hook
@@ -325,6 +325,9 @@ get_device_opts() {
 				KEYSCRIPT="$opt"
 				OPTIONS="$OPTIONS,keyscript=/lib/cryptsetup/scripts/$(basename "$opt")"
 				;;
+			keyslot=*)
+				OPTIONS="$OPTIONS,$opt"
+				;;
 			lvm=*)
 				OPTIONS="$OPTIONS,$opt"
 				;;
diff --git a/cryptsetup/trunk/debian/initramfs/cryptroot-script b/cryptsetup/trunk/debian/initramfs/cryptroot-script
index dde8ae3..3e8281a 100644
--- a/cryptsetup/trunk/debian/initramfs/cryptroot-script
+++ b/cryptsetup/trunk/debian/initramfs/cryptroot-script
@@ -69,6 +69,7 @@ parse_options()
 	cryptlvm=""
 	cryptkeyscript=""
 	cryptkey="" # This is only used as an argument to an eventual keyscript
+	cryptkeyslot=""
 	crypttries=3
 	crypttcrypt=""
 	cryptrootdev=""
@@ -119,6 +120,9 @@ parse_options()
 			fi
 			export CRYPTTAB_KEY="$cryptkey"
 			;;
+		keyslot=*)
+			cryptkeyslot=${x#keyslot=}
+			;;
 		tries=*)
 			crypttries="${x#tries=}"
 			case "$crypttries" in
@@ -261,6 +265,9 @@ setup_mapping()
 	if [ -n "$cryptheader" ]; then
 		cryptopen="$cryptopen --header=$cryptheader"
 	fi
+	if [ -n "$cryptkeyslot" ]; then
+		cryptopen="$cryptopen --key-slot=$cryptkeyslot"
+	fi
 	if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
 		cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
 	elif [ "$crypttcrypt" = "yes" ]; then
-- 
2.6.1

Attachment: signature.asc
Description: PGP signature

Reply via email to