Package: cryptsetup
Version: 2:2.4.0-1
Severity: wishlist
Hi.
I think the following might be improved in the crypttab(5) manpage:
1) discard
Apart from the fact that I think it's a pretty bad idea to enable
this per default (security wise, and especially since more recent
SSD allegedly no longer benefit so much from TRIM, if at all)...
It should be made more clear, that the installer simply adds the option
to crypttab (and there is no hidden changed default in Debian's
cryptsetup binary).
Perhaps if you just add a sentence, that it's enough to remove the
flag from crypttab if someone doesn't want it?
2) For options like check=<check> or tmp=<tmpfs> my understanding is
that if one just adds "tmp" or "check", then and only then it's enabled
with the mentioned default (e.g "ext4" and blkid).
It should be made more clear that the default is only about the *value*
if no =<value> is given, and not about the flag itself.
I.e. "tmp" means actually "tmp=ext4" but no "tmp" at all, doesn't mean
that "tmp" is implicitly set to "ext4".
3) loud
"Be loud. Print warnings if a device does not exist. This option overwrites the
option loud."
=> should probably read that it overwrites "quiet"?
4) keyscript=
WARNING: With systemd as init system, this option might be ignored.
At the time this is written (December 2016), the systemd cryptsetup
helper doesn't support the keyscript option to /etc/crypttab. For
the time being, the only option to use keyscripts along with
systemd is to force processing of the corresponding crypto devices
in the initramfs. See the 'initramfs' option for further
information.
Not sure but that seems a bit misleading:
Even *with* systemd that option is not ignored, at least not by e.g. the
cryptsetup
package and it's tools itself.
So I can just happily use my own keyscript *outside of the initramfs* with e.g.
cryptdisk_st* .
What does not work is systemd's own cryptsetup support stuff.
It may make sense to advise people that there is the 'luks.crypttab=no'
kernel command line option, as described in systemd-cryptsetup-generator(8),
which causes systemd to ignore any device configured in /etc/crypttab:
luks.crypttab=, rd.luks.crypttab=
Takes a boolean argument. Defaults to "yes". If "no", causes the
generator to ignore any devices configured in /etc/crypttab
(luks.uuid= will still work however). rd.luks.crypttab= is honored
only by initial RAM disk (initrd) while luks.crypttab= is honored
by both the main system and the initrd.
Cheers,
Chris.
