Hello, I have set up an encrypted home partition using cryptsetup-luks. It should be a two-factor authorisation using a passphrase and a USB token. There are user-configurable hooks already present in /etc/conf.d/cryptfs, like "pre_mount" and "post_mount". Unfortunately I needed something that goes in earlier in the process to mount the USB thumbdrive to make the keyfile available. So I created the attached diff against /lib/rcscripts/addons/dm-crypt-start.sh of sysfs/cryptsetup-luks-1.0.1-r1. It provides the "pre_map" and "post_map" hooks, which fire before and after the mapping of the crypted fs. My /etc/conf.d/cryptfs has the lines: pre_map=' until mount /dev/sda1 /mnt/stick >/dev/null 2>&1 ; do sleep 1 ; done ' post_map=' umount /dev/sda1 ' At least for me it saves a lot of work. Feel free to do whatever you feel is apropriate with it.
Created attachment 76014 [details, diff] patch for "pre_map" and "post_map"
I'm not convinced that this is the appropriate spot to do this, personally I tend to think it belongs in an initramfs or init script. Still I'll have a think about this and possibly add it, or something like it under the concept of choice is a good thing.
Created attachment 86226 [details, diff] new feature to cryptfs i don't understand why pre|post_mount can't satisfy your needs. Here my /etc/conf.d/cryptfs: mount=crypt-token source=/dev/sda2 type=luks key=/root/flashkey.gpg pre_mount='mount -o ro /dev/mapper/crypt-token /mnt/flash' post_mount='umount /mnt/flash; cryptsetup luksClose crypt-token' options='--readonly' mount=home source=/dev/hda2 type=luks options='-d /mnt/flash/homekey' And so i suggest to apply patch, that i have attached - i think it's logical to have possibility of using key and luks simultaneously.
(In reply to comment #3) > i don't understand why pre|post_mount can't satisfy your needs. pre_mount runs too late in the process. I have set up a USB thumbdrive with only the plain keyfile stored on it. In dm-crypt-start.sh the mapper-device is created _before_ pre_mount gets executed. > Here my /etc/conf.d/cryptfs: > mount=crypt-token > source=/dev/sda2 > type=luks > key=/root/flashkey.gpg > pre_mount='mount -o ro /dev/mapper/crypt-token /mnt/flash' > post_mount='umount /mnt/flash; cryptsetup luksClose crypt-token' > options='--readonly' Note your options-line, which does not rely on any non-mounted devices. > mount=home > source=/dev/hda2 > type=luks > options='-d /mnt/flash/homekey' This options-line instead _does_ rely on /mnt/flash to be already mounted. But, your /mnt/flash gets mounted just in the lines above, since these got processed before already. My /etc/conf.d/cryptfs looks like the following: mount='crypt-home' source='/dev/hda6' type=luks options='-c aes -s 256 -d /mnt/stick/keyfile' pre_map=' until mount /dev/sda1 /mnt/stick >/dev/null 2>&1 ; do sleep 1 ; done ' post_map=' umount /dev/sda1 ' See, my options-line says that there is a /mnt/stick mounted. So it actually needs to get mounted at a point before the mapper-device is created. That's exactly what pre_map does. post_map is even run before pre_mount is executed in my case. I only need the keyfile to generate the mapper-device. I do not need it at mount-time anymore. I hope thins got more clear now.
ok, i see. So let's apply both patches and have fun :) I thing they at least won't break anything.
Check the new cryptsetup-luks-1.0.3-r3. That solves this problem.
Created attachment 99941 [details, diff] patch for gensplash for version 1.0.3-r3 I have tested v1.0.3-r3. So here is some feedback from me. I was not able to see the messages which say I should "insert the removable device" with my gensplash setup. The appended patch corrects that. It is against 1.0.3-r3. When powering on the computer with the USB thumbdrive attached, it does not get detected. There is always the message to insert the removable device. Unplugging and re-plugging it resolves this. My former setup had the same issue. I am suspecting mount to not pass the proper return code. Another thing I am thinking about is the fixed location for mount point of the usb thumbdrive as /mnt/remdev. Would some random "local mntrem=` mktemp -d /mnt/remdev_XXXX `" be better? But all in all a very good job.
Ok, it's fine, but there is the problem still. In my case source itself is removable device. Nowhere existing of device is checked, but script gives 3 tries to pass key to cryptsetup, so in theory i can plug in my USB token and type password 2 times - first time would fail, cause cryptsetup allready failed to open /dev/sda2. But in practice this doesn't work - script checks type of partition (luks or usual) in the very beginning. cryptsetup isLuks failed to open device and it's interpreted as answer "no, it's not luks". So i had to comment that line and make LUKS default and the only choice. P.S. Very long story, but very simple problem - i want one more feature :)