Package: cryptsetup
Version: 2:1.0.2+1.0.3-rc3-1
Severity: wishlist
Hi,
in order to support encrypted root paritions from an initramfs, it would
be good if the cryptsetup package could be adapted to install the two
files attached in this mail (my debian packaging skills are not up to
par here, so I'll leave that as an exercise to the reader):
croot3-hooks-cryptroot: in /etc/mkinitramfs/hooks/cryptroot
croot3-scripts-local-premount-cryptroot: in
/etc/mkinitramfs/scripts/local-premount/cryptroot
The cryptroot works in two different ways depending on whether the root
partition is a luks partition or not.
o With LUKS
-----------
The kernel only needs to be booted with root=/dev/path/to/luks-partition
o Without LUKS
--------------
The kernel should be booted with root=/dev/path/to/partition and
cryptopts=OPTIONS.
OPTIONS can be cipher, size, hash and cryptnode. The first three should
be self-explanatory, while cryptnode is the name of the cryptnode to
setup (i.e. /dev/mapper/something).
o Additionally
--------------
The cryptnode option is also honoured with a luks partition.
An example of cryptopts would be:
cryptopts=cipher=aes-cbc-essiv:sha256,size=256,hash=plain
These options can also be set by creating
/etc/mkinitramfs/conf.d/cryptroot with the CRYPTOPTS variable (it will
be sourced by the relevant scripts, so something like
CRYPTOPTS="cipher=aes-cbc-essiv:sha256,size=256,hash=plain").
Oh, and if the user wants some more esoteric way of getting the key, a
script can be placed in /etc/mkinitramfs/cryptgetpw which outputs the
key on stdout (which allows e.g. usb-key based keys with a suitable
script).
This functionality depends on bug 348147 being fixed first.
Regards,
David
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/dmsetup /sbin
[ -x "/etc/mkinitramfs/cryptgetpw" ] && copy_exec /etc/mkinitramfs/cryptgetpw
/sbin
exit 0
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
# Do we have any settings from the /etc/conf.d/cryptroot file?
[ -r /conf/conf.d/cryptroot ] && . /conf/conf.d/cryptroot
cryptopts="${CRYPTOPTS}"
# Does the kernel boot command line override them?
for x in $(cat /proc/cmdline); do
case $x in
cryptopts=*)
cryptopts=${x#cryptopts=}
;;
esac
done
# Sanity checks
if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
# Apparently the root partition isn't encrypted
echo "No cryptoroot configured or detected"
exit 0
fi
# There are two possible scenarios here:
#
# 1) The fstype of the root device has been identified as "luks"
# 2) The fstype is not "luks" but cryptopts has been set
#
# The former means that we use the luks functionality of cryptsetup, the
# latter means that we do it the old-fashioned way.
# Start by parsing some options, all options are relevant to regular cryptsetup
# but only cryptnode is relevant to luks which picks up the rest of the
# parameters by reading the partition header
cryptcipher=aes-cbc-essiv:sha256
cryptsize=256
crypthash=sha256
cryptnode=cryptroot
if [ -n "$cryptopts" ]; then
IFS=" ,"
for x in $cryptopts; do
case $x in
hash=*)
crypthash=${x#hash=}
;;
size=*)
cryptsize=${x#size=}
;;
cipher=*)
cryptcipher=${x#cipher=}
;;
node=*)
cryptnode=${x#node=}
;;
esac
done
unset IFS
fi
NEWROOT="/dev/mapper/$cryptnode"
# Check which cryptosolution we want
if [ "$FSTYPE" = "luks" ]; then
# 1) The fstype of the root device has been identified as "luks"
cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
cryptremove=""
else
# 2) The fstype is not "luks" but cryptopts has been set
cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h
$crypthash create $cryptnode $ROOT"
cryptremove="/sbin/cryptsetup remove $cryptnode"
fi
# Loop until we have a satisfactory password
while [ 1 ]; do
if [ -x "/sbin/cryptgetpw" ]; then
/sbin/cryptgetpw | $cryptcreate
else
$cryptcreate
fi
if [ $? -eq 0 ]; then
fstype < "$NEWROOT" > /dev/.initramfs/source.me
. /dev/.initramfs/source.me
if [ "$FSTYPE" != "unknown" ]; then
break
fi
fi
echo "$0: cryptsetup failed or fstype not recognized, bad password or
options?"
$cryptremove
sleep 3
done
# init can now pick up new FSTYPE, FSSIZE and ROOT
echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me
exit 0
