[systemd-devel] [PATCH] add keyhandler support to cryptsetup

[Lennart Poettering]

On Tue, 25.03.14 09:32, Benjamin SANS (bs at ziirish.info) wrote:

> * On Monday, 24 March 2014 23:24, Lennart Poettering <lennart at poettering.net> wrote:
> > 
> > No grokking what this is about really? What do you need the param for,
> > why isn't the existing agent logic good enough for this? Do you need
> > some identifier to pass across, or what is supposed to be included
> > there?
> > 
> 
> The goal here is to be able to reuse "handlers" that have been developed for
> Debian.
> The original "keyscript" options comes from them and this implementation uses
> the "key_file" field of the crypttab as an argument to the "keyscript".
> This "key_file" does not have necessary to be a real "key_file".
> 
> For instance, you could have something like that in your crypttab:
> 
> crypt1   /dev/sda   UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,FILE=toto.key    luks,keyscript=/usr/bin/mykeyscript
> crypt2   /dev/sdb
> UUID=yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy,FILE=tata.key
> luks,keyscript=/usr/bin/mykeyscript

I really don't think keyscript and thus also some extensions to the
password field is something I want to see in systemd-cryptsetup. We have
a the password agent stuff and you can plug in there whatever you
want. But I want programs to be able to make sense of /etc/crypttab, and
they really shouldnt become programs of their own or something that
cannot be understood anymore without knowing what the "keyscript" is
doing.

Really, this is a bad idea...

Lennart

-- 
Lennart Poettering, Red Hat