From 63fe016b230b6a4eb5da59476f277bdd696bf029 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Thu, 12 Jul 2018 08:37:33 +0200
Subject: cryptfs.bin.in: allow specification of keyslot; cryptfs.8.in:
 document this

---
 cryptfs.8.in   |  1 +
 cryptfs.bin.in | 20 +++++++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/cryptfs.8.in b/cryptfs.8.in
index 37dc16f..9ffa12d 100644
--- a/cryptfs.8.in
+++ b/cryptfs.8.in
@@ -9,6 +9,7 @@ Locking and unlocking of encrypted containers is done via \fBcryptsetup\fP.
 .SH CONFIGURATION
 The configuration is read from \fB#ETCDIR#/crypttab\fP and \fB#ETCDIR#/fstab\fP.
 To not interfere with systemd, if line prefixes match \fB#CONF_PREFIXES#\fP, the prefix will be removed.
+Additional to the usual syntax, a keyfile specification in \fB#ETCDIR#/crypttab\fP may be prepended by \fI[key-slot]\fP to limit the used keyslot.
 .SH FILES
 .TP
 .B "#BINDIR#/cryptfs"
diff --git a/cryptfs.bin.in b/cryptfs.bin.in
index 435058f..f00417b 100644
--- a/cryptfs.bin.in
+++ b/cryptfs.bin.in
@@ -225,10 +225,17 @@ do_crypt_close() {
 }
 
 do_crypt_open() {
+  local key
   local max_tries
-  if ! is_unlocked "$1"; then
+  local name
+  local raw
+  name="$1"
+  raw="$2"
+  key="$3"
+  shift 3
+  if ! is_unlocked "${name}"; then
     max_tries=10
-    while ! cryptsetup luksOpen "$2" "$1" --key-file="$3"; do
+    while ! cryptsetup luksOpen "${raw}" "${name}" --key-file="${key}" "$@"; do
       sleep 1
       max_tries=$((max_tries-1))
       if [ ${max_tries} -le 0 ]; then
@@ -242,6 +249,13 @@ printf '%s\n' "${crypttab}" | \
   grep -vxF '' | \
   while read -r name raw key; do
     key="${key%% *}"
+    if [ "${key#\[*]}" != "${key}" ]; then
+      key_slot_option="${key%%]*}"
+      key_slot_option='--key-slot='"${key_slot_option#\[}"''
+      key="${key#\[*]}"
+    else
+      unset key_slot_option
+    fi
     key_mount=$(mountpoint_to_file "${key}")
     mount_order=$(mountorder_to_device "#MAPDIR#/${name}")
 
@@ -250,7 +264,7 @@ printf '%s\n' "${crypttab}" | \
       do_crypt_close "${name}"
     else
       do_mount "${key_mount}"
-      do_crypt_open "${name}" "${raw}" "${key}"
+      do_crypt_open "${name}" "${raw}" "${key}" ${key_slot_option}
       do_unmount -l "${key_mount}"
       do_mount "${mount_order}"
     fi
-- 
cgit v1.2.3