Package: cryptsetup Version: 2:1.7.0-2 Severity: wishlist
Hi. Perhaps this is rather an upstream thingy... or at least I think it would also make sense to move the crypttab stuff itself upstream, after all each distro has a crypttab. (Which is why I'v CCed Milan) I think it would make sense to re-designate crypttab's third field to be the keyfile (i.e. when no keyscript is given and it isn't "none") OR the keyscript's parameters. Perhaps explaining it at least in the documentation. The rationale behind is, that this field is typically what's used with keyscripts to specify parameters for that script, which can also be multiple parameters and not just filenames. E.g. a keyscript for openpgp could get a device and pathname, where to look for the openpgp encrypted key file,... or it could get a mode where to retrieve the key from (file, smartcard) and then perhaps a slot number, if there are more than one keys on the smartcard. A keyscript that authenticates via ssh, could specify all kinds of ssh options like server, trusted keys and so on. As such I think, it would also make sense to a) clarify which characters are allowed in the third filed (probably at least not tab and space), and maybe even recommend a quoting schema and a syntax for specifying multiple options, like e.g. device=foo:pathname=bar:... One could e.g. define that the option name is only allowed to have alphanumeric characters, ".", "-", and "_", and everything after the = would be %-encoded value. Whether that quoting is already decoded and whether the options are parsed and split by cryptsetup,... or whether this should be left off as a duty to the respective keyscripts (thereby allowing them to use different schemas) could be thought about. But if it's not done automatically one could perhaps provide a small helper binary, that takes the whole third field, and spits out the split and decoded values, e.g. in --shell mode, as shell-escaped variable asignments of the style KEYSCRIPT_OPTION_<optionname>=value KEYSCRIPT_OPTION_<optionname>=value KEYSCRIPT_OPTION_<optionname>=value The benefit would be, that this is made more uniform across keyscripts. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
