You are not logged in.

#1 2013-08-07 21:29:05

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Minor encrypt hook modification for multiple luks devices

With a seven-line modification (excluding modifying indentation) to the encrypt hook, an indescriminate number of encrypted devices can be enabled during boot. It does have some downsides, though:

- Probably won't work with anything other than luks.
- The & and ; characters are used as field separators:
    & separates devices.
    ; separates what would be cryptdevice, cryptkey, and crypto in the standard encrypt hook.
- All devices must be smushed into a single paramater, ie :

cryptdeets=/dev/vda3:crypt0;/dev/vda:2048:2048&/dev/vdb1:crypt1;/dev/vdb:4096:2048

I've only tested it in a qemu VM with luks devices. Here's a patch against the encrypt hook from cryptsetup 1.6.1-2 if anyone's interested:

@@ -4,6 +4,11 @@
     modprobe -a -q dm-crypt >/dev/null 2>&1
     [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
 
+    for mydev in ${cryptdeets//&/ }; do
+        IFS=';' read cryptdevice cryptkey crypto <<EOF
+$mydev
+EOF
+
     # Get keyfile if specified
     ckeyfile="/crypto_keyfile.bin"
     if [ -n "$cryptkey" ]; then
@@ -134,6 +139,8 @@
         fi
     fi
     rm -f ${ckeyfile}
+
+    done
 }
 
 # vim: set ft=sh ts=4 sw=4 et:

Changes in indentation were ignored in creating it, otherwise I might as well post the whole file.

Last edited by alphaniner (2013-08-12 13:05:04)


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#2 2013-08-11 12:21:57

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Minor encrypt hook modification for multiple luks devices

Neat! Where do you see the advantages to plain crypttab?

Offline

#3 2013-08-12 13:04:27

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: Minor encrypt hook modification for multiple luks devices

Honestly, I don't fully understand what you're asking. However, as it stands I expect it wouldn't work with anything but luks.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#4 2013-08-12 14:37:59

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Minor encrypt hook modification for multiple luks devices

Uhm, /etc/crypttab is the regular cryptsetup way to add encrypted partitions and specify where the key is. A disadvantage of your mod some might see that it gives away the info where the keys are on the kernel line. Using crypttab that info is only available (and parsed by systemd) once the root is unlocked. So, I was wondering what one gains from having them unlocked in initramfs already.

Offline

#5 2013-08-12 15:28:22

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: Minor encrypt hook modification for multiple luks devices

Ah, ok. I thought you were talking about non-luks devices. My system requires both to be unlocked in order to boot (LVM VG over multiple luks), so it couldn't be handled by crypttab.

In my case, I don't store the <offset>:<size> in the bootloader config, but I know the kernel line can be retrieved after boot (eg, dmesg). Nothing can be done about that AFAIK.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#6 2013-08-12 16:07:45

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Minor encrypt hook modification for multiple luks devices

Ok, if you handtype the cryptdeets on each boot they are obviously not there, but that's a bit of pre-boot concentration ... I don't see why you need it that way. Does this not work for you? That's using keys to unlock the volumes.

Offline

#7 2013-08-12 16:19:21

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: Minor encrypt hook modification for multiple luks devices

That section is about LUKS on LVM. I'm using LVM on luks: one LVM VG consisting of two encrypted physical partitions.

Edit: It's a good thing I didn't read that section before I tried this, because I'm definitely in defiance of

THIS IS THE REQUIRED CONFIGURATION IF YOU WISH TO ADD/SPAN MORE PHYSICAL DRIVES IN THE FUTURE.

I actually added the second PV after the fact because I forgot to leave space for LVM snapshots.

Last edited by alphaniner (2013-08-12 16:30:52)


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#8 2013-08-12 17:08:26

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Minor encrypt hook modification for multiple luks devices

Yes, understandable then. Neat to see your solution to bend the spoon and that it works like that!

In theory there is also another way: LVM (spanning drives)->luks over it->LVM inside that. This way you have the lvm doing the disk span, but only one big luks partition (and hence one pass/key). I have not tried that with Arch though. Not sure if those nested lvm hooks would work like that currently. It would not have helped you for sure in that situation, but is just a tweak to have the lvm benefit of spanning disks while getting around using keys or multiple passphrases.

Offline

#9 2013-08-23 12:10:38

valo
Member
From: IT
Registered: 2013-08-23
Posts: 8

Re: Minor encrypt hook modification for multiple luks devices

Hi all.
My setup is cryptsetup+luks and, on top, lvm,: 2 disks, different passphrase, same volume goup
I searched for a while and with the current encrypt hook for me works the following:

*** my_encrypt_hook     2013-08-23 13:48:38.357707354 +0200
--- default_encrypt_hook        2013-08-23 13:47:43.000000000 +0200
***************
*** 4,11 ****
      modprobe -a -q dm-crypt >/dev/null 2>&1
      [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  
- for cryptdev in ${cryptdevice//,/ }; do
- 
      # Get keyfile if specified
      ckeyfile="/crypto_keyfile.bin"
      if [ -n "$cryptkey" ]; then
--- 4,9 ----
***************
*** 38,44 ****
      if [ -n "${cryptdevice}" ]; then
          DEPRECATED_CRYPT=0
          IFS=: read cryptdev cryptname cryptoptions <<EOF
! $cryptdev
  EOF
      else
          DEPRECATED_CRYPT=1
--- 36,42 ----
      if [ -n "${cryptdevice}" ]; then
          DEPRECATED_CRYPT=0
          IFS=: read cryptdev cryptname cryptoptions <<EOF
! $cryptdevice
  EOF
      else
          DEPRECATED_CRYPT=1
***************
*** 136,142 ****
          fi
      fi
      rm -f ${ckeyfile}
- done
  }
  
  # vim: set ft=sh ts=4 sw=4 et:
--- 134,139 ----

It's my first edit and i'm not sure it's correct. I tested with passphrase and i'm testing for keyfile.
I used "," to separate disks, i've no cryptoptions.
I'd like to see the multiple disk support feature officially adopted
Bye and thanks to alphaniner for the hint.

Offline

Board footer

Powered by FluxBB