On 01/08/2016 07:19 PM, Marc Haber wrote: > On Fri, 8 Jan 2016 18:51:20 +0100, Christian Seiler > <christ...@iwakd.de> wrote: >> (Warning: not thoroughly tested, code is a quick hack and awful, might >> do unexpected things. Also not documented. Quick howto: run make, copy >> systemd-keyscript-cryptsetup to /lib/cryptsetup/, copy keyscript-generator >> to /lib/systemd/system-generators, do systemctl daemon-reload and hope >> for the best. systemd-cryptsetup will still warn about 'unknown option', >> but it should work.) >> >> (Interactive scripts obviously don't work, same thing as with >> interactive init scripts, but if you need a password you can just use >> PASS=$(systemd-ask-password "Some Message").) > > You're amazingly constructive. I wish I had your output. Thanks! > > Will this handle a keyscript that needs to unlock another crypto LV > which is unlocked with a a password?
Well, if the other volume (that's locked with a password) is NOT in
/etc/crypttab, it should probably work, but you need to use
systemd-ask-password to ask for the password.
So this should *probably* work in the keyscript (not tested at all):
# lv1 NOT in crypttab, NOT in /etc/fstab
systemd-ask-password --no-tty "Secret Container" \
| cryptsetup --key-file=- open /dev/disk/by-uuid/something lv1 >&2
mount -t something /dev/mapper/lv1 /somelocation >&2
# extract the key somehow
cat /somelocation/keyfile
# (possibly)
umount /somelocation
cryptsetup close lv1
(But if there's just a single key file on an external device, then
you shouldn't need a keyscript at all with systemd. Could you
describe your setup in a bit more detail? Perhaps I can provide
you with an option that doesn't rely on keyscript=.)
Regards,
Christian
signature.asc
Description: OpenPGP digital signature
