[systemd-devel] [PATCH] add keyhandler support to cryptsetup

[Lennart Poettering]

On Thu, 13.03.14 18:29, Benjamin SANS (bs at ziirish.info) wrote:

> Hi list,
> 
> Following this thread: http://lists.freedesktop.org/archives/systemd-devel/2012-July/005835.html, 
> I understand you don't want to support a "keyscript" option as implemented in
> that patch.
> 
> So I wrote these few lines to support a new "keyhandler" option (so that you
> don't necessary need it to be a script, it can be whatever you want) and
> implemented a new crypt-keyhandler-agent. 
> The keyhandler takes the third field of the crypttab record as argument (the
> key_file)

No grokking what this is about really? What do you need the param for,
why isn't the existing agent logic good enough for this? Do you need
some identifier to pass across, or what is supposed to be included
there?

> For instance, I want my keyhandler to read the keyfile out of a usb key. If my
> usb key is not present I can fallback to the password method.

Supporting an automatic fallback to asking for a password interactively
when a file doesn't exist on disk is something we should anyway do in
systemd-cryptsetup, this shouldn#t need any special scrip hookup. (Note
however that we nowadays add RequiresMountsFor= for the file specified
in cryptsetup so that we'll wait for any USB disk mentioned therein
anyway, which means we'd delay the cryptsetup logic untilt he device has
shown up.)

But anyway, for this specific usecase, I'd really like to see a patch
for systemd that makes this standard behaviour.

> Would a patch as below be acceptable?

Well, firstly, I'd have to udnerstand the concept. ;-)

Also, all patches need to be submitted against systemd git...

Lennart

-- 
Lennart Poettering, Red Hat