[Bug 1223622] Re: add support for crypttab mounting of luks devices with detached headers

[DiagonalArg]

@Attila - The patches from here seem to have been included (with some
changes) in the new scripts that are available in 15.10.  Unfortunately,
the scripts do not include the header in the initramfs, with a note that
this is a "security risk".  Hm.  So I thought I might just add the
header to the /boot directory which is unencrypted, thinking this would
be available at bootup.  Then I pointed the header=<fn> option there.
But that didn't work.  On bootup I get a message that the header file is
not available.  Dropping into a shell, I find that I am at the
(initramfs) prompt.

I'll have to review the boot process to find out if there is some part
of the /boot directory that is available, or if I actually must have the
header in the initramfs.  If the latter, then the scripts will (again)
have to be altered.

I really don't understand the point of crippling the scripts in that
way.  The idea is to put the header on a USB or SD and then carry that
with us.  I'm not clear on what the security problem is.  Having the
header hanging out there on the disk unprotected is not a security
problem??

Suggestions welcome!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1223622

Title:
  add support for crypttab mounting of luks devices with detached
  headers

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  A detached luks header for a luks device is a new feature in
  cryptsetup 1.4.  This is a feature request to allow the unlocking of
  luks devices with detached headers, both as a root device (ie in the
  initrd) as well as using the init system.

  The attached patch only solves part of the issue, support in the init
  system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1223622/+subscriptions