After some googling i derived an ugly keyscript for /etc/crypttab to
decrypt root disk (as per standard wholedisk encryption Debian install).
I manage to prevent the 90s delay annoyance hardcoding the device uuid in
the script instead of in the crypttab file.
This consent to plain aptitude updates (without the need to change
/etc/crypttab at any update-initramfs) and somehow prevent systemd magic. I
hope it will also permit subsequent systemd crypto logic.
Note that I use a raw (unpartitioned) usb stick to hold the key, and in its
absence the keyscript nicely fallback to cryptsetup askpass cli.
It shouldn't be too difficult to extend the script for more complex
solutions (eg. deriving correct device uuid and/or seek key position from
crypto mapper name).
~$ cat /etc/crypttab
<CryptName> UUID=<ROOTID> none luks,discard,keyscript=/opt/
passphrase-from-usb
~$ cat /opt/passphrase-from-usb
#!/bin/sh
set -e
CRYPTTAB_KEY="/dev/disk/by-id/<usb-UUID>"
if ! [ -e /root/passphrase-from-usb-done ]; then
touch /root/passphrase-from-usb-done
if [ -e "$CRYPTTAB_KEY" ]; then
echo "Unlocking $CRYPTTAB_NAME..." >&2
dd if="$CRYPTTAB_KEY" bs=1 skip=<KEYSKIP> count=<KEYCOUNT>
2>/dev/null
exit
fi
fi
/lib/cryptsetup/askpass "Enter passphrase: "
Thanks.
ppf
_______________________________________________
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
