On Tue, 04 Jul 2017 at 10:47:36 -0400, Antoine Beaupré wrote: > On 2017-07-04 10:34:04, Guilhem Moulin wrote: >> On Mon, 03 Jul 2017 at 19:08:52 -0400, Antoine Beaupré wrote: >>> thanks, i guess this is done? or do we need to document the "initramfs" >>> tag in crypttab better? >> >> Anything in particular you have in mind? crypttab(5) currently reads: >> >> initramfs >> The initramfs hook processes the root device, any resume devices >> and any devices with the “initramfs” option set. These devices >> are processed within the initramfs stage of boot. As an >> example, that allows the use of remote unlocking using dropbear. > > I did see that, but only after you mentioned it. I guess the problem is > the documentation is kind of split up all over the place.
Fair enough, the documentation needs some love… Your setup is probably not very common but if other DDs have trouble with our docs I'm not too hopeful about wider adoption :-( > There's that README.Debian, then there's: > > * /usr/share/doc/cryptsetup/README.initramfs.gz > * "Some keyscripts have an own README file at > /usr/share/doc/cryptsetup/" > * crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8) > * /usr/share/doc/cryptsetup/FAQ.gz > * /usr/share/doc/dropbear-initramfs/README.initramfs > > Which one is relevant here? Probably the last one? Who knows! :) Yup, and it contains the following paragraph: Unlocking procedure ------------------- You can unlock your rootfs on bootup remotely, using SSH to log in to the booting system while it's running with the initramfs mounted. Consult cryptsetup's /usr/share/doc/cryptsetup/README.Debian section 8 for details. > In this case, I should have read README.initramfs and crypttab(5) but > even the latter is not clearly outlined in Sec. 8 of the > README.Debian... Alright, I think I understood the source of the confusion now. I'll add a paragraph to clarify that in Sec. 8 applies to any device unlocked at initramfs stage, not only the root device; and that to force the device to be unlocked at initramfs stage one might need to add the 'initramfs' option to its crypttab(5) entry. I'll think about the wording over night ;-) Anyway, this is beyond of the scope of this bug. -- Guilhem.
signature.asc
Description: PGP signature
