Here's a patch that fixes the problem, but I think further discussion on how to handle this in a way that is safe/correct is needed. Since there's no *requirement* that the "key file" used with a keyscript is an actual file, it's hard to know for sure whether the intent is to use a file or just give and argument to the keyscript. My solution assumes that anything with a leading / is a file, but this will give spurious warnings if someone sets something like /dev/ttyS0 or /dev/sdXX as the key file. It also might be best if some attempt was made not to copy a file from an encrypted filesystem to an unencrypted initramfs image.
-Ryan
--- cryptroot.dist 2011-12-24 16:50:11.000000000 -0800 +++ cryptroot 2011-12-24 17:07:33.000000000 -0800 @@ -211,7 +211,7 @@ fi # We have all the basic options, let's go trough them - OPTIONS="target=$target,source=$source,key=$key" + OPTIONS="target=$target,source=$source" local IFS=", " unset HASH_FOUND unset LUKS_FOUND @@ -262,10 +262,23 @@ echo " the correct hash option to your /etc/crypttab." >&2 fi - # If keyscript is set, the "key" is just an argument to the script - if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then - echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 - return 1 + # A "key" is only supported if it is being used with a keyscript + if [ "$key" != "none" ]; then + if [ -n "$KEYSCRIPT" ]; then + # Include the "key" if it is a regular file + if [ -f "$key" ]; then + KEYFILE=$key + key="/lib/cryptsetup/keys/$(basename "$key")" + elif [ "$(echo $key | cut -c 1)" = "/" ]; then + # Not sure if this should be fatal + echo "cryptsetup: WARNING: key file $key for target $target cannot be copied" >&2 + fi + OPTIONS="$OPTIONS,key=$key" + else + OPTIONS="$OPTIONS,key=$key" + echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 + return 1 + fi fi } @@ -408,6 +421,12 @@ echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2 continue fi + if [ -n "$KEYFILE" ]; then + if [ ! -d "$DESTDIR/lib/cryptsetup/keys" ]; then + mkdir -p "$DESTDIR/lib/cryptsetup/keys" + fi + cp "$KEYFILE" "$DESTDIR/lib/cryptsetup/keys" + fi fi # Calculate needed modules
