/etc/conf.d/dmcrypt contains argument for detached luks header /etc/init.d/dmcrypt misses support of it but we have a patch now ) Reproducible: Always Steps to Reproduce: 1. create luks volume with detached header on file # create dir for experiments mkdir -p /var/tmp/luks_header_test # create 20M image dd if=/dev/zero of=/var/tmp/luks_header_test/img bs=1M count=20 # generate key dd if=/dev/urandom of=/var/tmp/luks_header_test/key bs=1K count=4 # generate 10M header file dd if=/dev/zero of=/var/tmp/luks_header_test/header bs=1M count=10 # converting image file to device loop7 losetup -v /dev/loop7 /var/tmp/luks_header_test/img # format luks volume cryptsetup luksFormat --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7 2. configure /etc/conf.d/dmcrypt with luks_header add this lines to config: target=luks_header_test source='/dev/loop7' key='/var/tmp/luks_header_test/key' luks_header='/var/tmp/luks_header_test/header' 3. restart dmcrypt 4. check status cryptsetup status luks_header_test # you will see for wrong plain mode: # # > cryptsetup status luks_header_test # /dev/mapper/luks_header_test is active. # type: PLAIN # cipher: aes-cbc-essiv:sha256 # keysize: 256 bits # device: /dev/loop7 # loop: /var/tmp/luks_header_test/img # offset: 0 sectors # size: 40960 sectors # mode: read/write # you can manualy open luks volume and play with it # cryptsetup open --type luks --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7 luks_header_test # properly opened luks volume will produce: # > cryptsetup status luks_header_test # /dev/mapper/luks_header_test is active. 5. cleanup # remove test lines from config, then cryptsetup close luks_header_test losetup -d /dev/loop7 rm -r /var/tmp/luks_header_test Actual Results: cryptsetup create/open plain mode volume (not luks) Expected Results: open luks volume with detached header
Created attachment 364964 [details, diff] plain diff patch for /etc/init.d/dmcrypt
Comment on attachment 364964 [details, diff] plain diff Please attach a unified patch next time.
Created attachment 365052 [details, diff] enable detached LUKS header support
Comment on attachment 365052 [details, diff] enable detached LUKS header support >+ cryptsetup isLuks ${source} 2>/dev/null \ >+ && { arg1="luksOpen"; arg2="${source}"; arg3="${target}"; luks=1; } i know existing code style likes to pack multiple statements on one line, but let's get away from that if cryptsetup isLuks ${source} 2>/dev/null ; then ... var assignments ... fi otherwise, patch looks fine
I'd like to see this enhancement go in. The code style suggestion above is already in the gentoo tree. Is something else blocking this issue?
Created attachment 767170 [details, diff] updated patch for 2.4.0-dmcrypt.rc
Created attachment 767171 [details, diff] updated patch for 2.4.0-dmcrypt.confd
I've brought the original patch from Oleg up to date, so it patches against 2.4.0-dmcrypt.rc (used by the currently stable sys-fs/cryptsetup-2.4.3). I've also patched the 2.4.0-dmcrypt.conf to add an example of using the detached header with a usb stick. I've tested them and am currently using both patches applied to my system, it would be nice to get these included for others to use.
Created attachment 767898 [details, diff] updated patch for 2.4.0-dmcrypt.rc
I realised that the patches included an 'isLuks' check which fails when using a partition with a detached header, with the following: # cryptsetup -v isLuks /dev/<my_device> Command failed with code -1 (wrong or missing parameters). so the conditional to assign the arg_header never executes in 2.4.0-dmcrypt.rc, and it appears to be treated as --type=plain (it becomes clear when the removable drive isn't plugged in). I've updated the patch with a fix.
Created attachment 775014 [details, diff] updated patch for 2.4.0-dmcrypt.rc Updated patch to unset the luks header file path variable after use, so subsequent encrypted volumes can work when a detached header is not used.
(In reply to Stephen Kirkby from comment #11) > Created attachment 775014 [details, diff] [details, diff] > updated patch for 2.4.0-dmcrypt.rc > > Updated patch to unset the luks header file path variable after use, so > subsequent encrypted volumes can work when a detached header is not used. ``` + if [ cryptsetup isLuks ${source} 2>/dev/null ] || [ -n "${luks_header}" ] ; then ``` should be ``` + if cryptsetup isLuks ${source} 2>/dev/null || [ -n "${luks_header}" ] ; then ``` .
Created attachment 778130 [details, diff] updated patch for 2.4.0-dmcrypt.rc Patch updated
Created attachment 832213 [details, diff] Updated patch for latest stable cryptsetup 2.4.3-r2
Created attachment 832215 [details, diff] Updated patch for latest stable cryptsetup 2.4.3-r2 Although the latest cryptsetup-2.4.3-r2 supports detached headers, I've kept this patch alive as it supports the detached header on a removable drive.
Created attachment 861072 [details, diff] Updated patch for latest stable cryptsetup 2.4.3-r2 Added additional logic to wait for a specified time after unmounting the removable media, to ensure the device doesn't get remounted before the user removes it.
Created attachment 861073 [details, diff] Updated patch for latest stable cryptsetup 2.4.3-r2 Added additional logic to wait for a specified time after unmounting the removable media, to ensure the device doesn't get remounted before the user removes it.
Created attachment 876383 [details, diff] Updated patch for latest stable cryptsetup 2.6.1 Added fix for when user doesn't have encrypted swap enabled, so subsequent detached header targets will still work (simple change to move function declaration higher).
I'm not quite sure why this isn't going anywhere, and there's been another couple of releases of cryptsetup, so I've added the changes to my repo for those interested in using it: https://github.com/moodytux/portage-overlay/tree/master/sys-fs/cryptsetup
