[systemd-devel] [PATCH] cryptsetup-generator: support rd.luks.key=keyfile:keyfile_device

Lennart Poettering lennart at poettering.net
Thu Apr 23 10:08:17 PDT 2015 

On Thu, 23.04.15 19:33, Andrei Borzenkov (arvidjaar at gmail.com) wrote:

> > > > What does this actually do? Is the specified key file read from the
> > > > specified device?
> > > 
> > > It reads keyfile from filesystem on device identifed by keyfile_device.
> > > 
> > > >                  The order of keyfile:device sounds weird, no?
> > > > Shouldn't it be the other way round?
> > > > 
> > > 
> > > keyfile is mandatory, keyfile_device is optional and can be omitted. I
> > > believe dracut looked at all existing devices then. This order makes
> > > it easier to omit optional parameter(s).
> > 
> > Well, whether it is [device:]file or file[:device] is hardly any
> > difference for the parser...
> 
> Does it really matter?

Well, we might as well implement this in the most obvious way if it is
not a completely standard feature yet. To me it appears that only one
initrd supported it, and it lost it a while back without too much
complaining...

But anyway, I don't mind too much. The 

> > > > Is this specific to Dracut so far? Is this widely used, and something
> > > > that we really want.
> > > 
> > > I can say about dracut only but yes, it is used and it is serious
> > > regression when it is used comparing with pre-systemd version.
> > 
> > Can you point me to documentation about the previous features in this
> > regard? Which initrd implementations are you referring to?
> 
> Sure, in dracut manual page:
> 
>   crypto LUKS - key on removable device support
>        rd.luks.key=<keypath>:<keydev>:<luksdev>
>            keypath is a path to key file to look for. It’s REQUIRED. When
>            keypath ends with .gpg it’s considered to be key encrypted
>            symmetrically with GPG. You will be prompted for password on boot.
>            GPG support comes with crypt-gpg module which needs to be added
>            explicitly.

To make this clear: the gpg support is crazy. I don't want to see that
in systemd at all.

Also, so far we don't allow <luksdev> to be specified for any of the
other options, such as luks.options or so. I am not convinced we
should support that here.

I'd be willing to merge a patch that supports basic
rd.luks.key=<keypath>:<keydev>, even though I think it's usecase is
more security theater than really useful.

But please put the temporary mount into /run, keep it minimal, define
a clear trigger to unmount it, no gpg, no <luksdev> support.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list