[Bug 1223622] Re: add support for crypttab mounting of luks devices with detached headers

DiagonalArg 1223622 at bugs.launchpad.net
Mon Dec 28 11:47:16 UTC 2015 

I have gotten this to work in Ubuntu 15.10, which has cryptsetup 1.6.6.
As mentioned previously, the scripts in 1.6.6 have included the patches
from here with some modifications, along with additions for truecrypt
volumes, btrfs, and some improvement (hopefully) of situations where
it's necessary to wait for disks to come up.  Unfortunately, the
modifications to the detached header code introduced a number of errors
and was, in addition, crippled by the commenting out of the code that
inserted the header into the initramfs.  I'm about to upload the patches
here.  A couple of notes on usage/comments:

(1) A function in /lib/cryptsetup/cryptdisks.functions parses the
/etc/crypttab file, including any possible "header=<fn>" option.  This
function only works if <fn> is a complete filename path.  That path may
need to be in quotes if it's got spaces in it, though I haven't tested
that part.  I <<believe>> this is only used for disks that come up after
root and (perhaps) are not listed as automount in /etc/fstab.

(2) The scripts in /usr/share/initramfs-tools/{hooks,scripts/local-
top}/cryptroot also parse the crypttab file (respectively a derivative
of that file) in order to bring up an encrypted root device.  If that
root device has a detached header, then the "header=<fn>" option can
refer either to a complete filename path, or to a file in the directory
/etc/initramfs-tools/conf.d/cryptheader.  Both ways of referring to the
file (now) work.

(3) It's the script /usr/share/initramfs-tools/hooks/cryptroot that had
the section commented out.  This section was taken directly from the
original scripts posted by Glenn.  That section is marked by a "TODO",
added by the maintainer, and which I have uncommented.

A final note.  When the header is not detached, it's possible to use
UUID's to refer to a device in crypttab.  Since the UUID is in the
header, when we have a detached header it is no longer possible to refer
to the device this way.  There is another unique means of referring to a
(hardware) disk, the WWN device identifier
(https://en.wikipedia.org/wiki/World_Wide_Name).  These can be found
listed in /dev/disk/by-id/wwn-*.  This is probably what you want to use
for the first, target, field in the crypttab file.

Ok, patches coming.  Hope it's useful!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1223622

Title:
  add support for crypttab mounting of luks devices with detached
  headers

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  A detached luks header for a luks device is a new feature in
  cryptsetup 1.4.  This is a feature request to allow the unlocking of
  luks devices with detached headers, both as a root device (ie in the
  initrd) as well as using the init system.

  The attached patch only solves part of the issue, support in the init
  system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1223622/+subscriptions

More information about the foundations-bugs mailing list