Hello, I did a rewrite of dm-crypt-start.sh(cryptfs implementation script), please note that I don't intend to ditch Benjamin's work with this, at first I wanted to edit the cryptfs scripts to add support for gpg and usb-sticks but one thing lead to another, and I ended rewriting it.., anyway, I just thought of sharing, maybe if you like it you could consider it for inclusion(after proper evaluation of course, I'm not a bash scripting expert :). Improvements/Changes: * Support both regular keyfiles and gpg encrypted keys(both with key= argument) * Support for obtaining keyfile from removable media such as usb-stick. * Autodetect if partition is LUKS by using cryptsetup's isLuks option. (type= is gone) * To avoid confusion by users, mount= has been renamed to target= in both /etc/conf.d/cryptfs and in the implementation script. Minor changes: * Cryptfs examples fixed, source= should be real devices, not mappings. * No more defaults options for mappings(passing -c aes -h sha1 to a LUKS partition is incorrect :) * Encryption key is piped into cryptsetup (not stored on a passphrase), therefore it's kept in memory for as little as possible. I know mounting removable media could be done with the pre|post_mount arguments, but I don't like it, I also saw here(#117476) that a patch was made to support pre|post_map, nice idea but I think it should be done right into cryptfs instead . Anyway, after many tests and reboots, the following is known to work: cryptfs options | Status ========================================= target=portage Works source=/dev/sda5 target=portage Works source=/dev/sda5 key=/cryptkeys/portagekey target=portage Works source=/dev/sda5 key=/cryptkeys/portagekey:gpg target=portage Works source=/dev/sda5 key=/cryptkeys/portagekey remdev=/dev/sdb1 target=portage Works source=/dev/sda5 key=/root/cryptkeys/portagekey:gpg remdev=/dev/sdb1 Forced failures: - no source= line -- Works as expected - keyfile doesn't exist -- ^^ Weird issues: Once during booting, right after checkroot init-script finished fscking the root filesystem a lot of ewarns about I/O errors were printed, I tried to reproduce it by forcing fscks with tune2fs, but failed to. It was pretty weird, I've no idea of what was trigger. Let me know what you guys think, thanks.
Created attachment 95274 [details] new dm-crypt-start.sh
Created attachment 95275 [details] new dm-crypt-stop.sh
Created attachment 95276 [details] new /etc/conf.d/cryptfs
Thanks for filing this, I was just looking at your HOWTO on the gentoo-wiki the other day and it looks like a nice collation of most of the HOWTO's around. I'll check out these scripts and see what we can do about including them.
I've done some tests and it's looking good. I'll continue to test and probably commit it soon. Thanks for your work, I had started rewriting these scripts but just never found the time to do it properly.
commited, thanks for your contribution, it's appreciated.