From 63fe016b230b6a4eb5da59476f277bdd696bf029 Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Thu, 12 Jul 2018 08:37:33 +0200 Subject: cryptfs.bin.in: allow specification of keyslot; cryptfs.8.in: document this --- cryptfs.8.in | 1 + cryptfs.bin.in | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/cryptfs.8.in b/cryptfs.8.in index 37dc16f..9ffa12d 100644 --- a/cryptfs.8.in +++ b/cryptfs.8.in @@ -9,6 +9,7 @@ Locking and unlocking of encrypted containers is done via \fBcryptsetup\fP. .SH CONFIGURATION The configuration is read from \fB#ETCDIR#/crypttab\fP and \fB#ETCDIR#/fstab\fP. To not interfere with systemd, if line prefixes match \fB#CONF_PREFIXES#\fP, the prefix will be removed. +Additional to the usual syntax, a keyfile specification in \fB#ETCDIR#/crypttab\fP may be prepended by \fI[key-slot]\fP to limit the used keyslot. .SH FILES .TP .B "#BINDIR#/cryptfs" diff --git a/cryptfs.bin.in b/cryptfs.bin.in index 435058f..f00417b 100644 --- a/cryptfs.bin.in +++ b/cryptfs.bin.in @@ -225,10 +225,17 @@ do_crypt_close() { } do_crypt_open() { + local key local max_tries - if ! is_unlocked "$1"; then + local name + local raw + name="$1" + raw="$2" + key="$3" + shift 3 + if ! is_unlocked "${name}"; then max_tries=10 - while ! cryptsetup luksOpen "$2" "$1" --key-file="$3"; do + while ! cryptsetup luksOpen "${raw}" "${name}" --key-file="${key}" "$@"; do sleep 1 max_tries=$((max_tries-1)) if [ ${max_tries} -le 0 ]; then @@ -242,6 +249,13 @@ printf '%s\n' "${crypttab}" | \ grep -vxF '' | \ while read -r name raw key; do key="${key%% *}" + if [ "${key#\[*]}" != "${key}" ]; then + key_slot_option="${key%%]*}" + key_slot_option='--key-slot='"${key_slot_option#\[}"'' + key="${key#\[*]}" + else + unset key_slot_option + fi key_mount=$(mountpoint_to_file "${key}") mount_order=$(mountorder_to_device "#MAPDIR#/${name}") @@ -250,7 +264,7 @@ printf '%s\n' "${crypttab}" | \ do_crypt_close "${name}" else do_mount "${key_mount}" - do_crypt_open "${name}" "${raw}" "${key}" + do_crypt_open "${name}" "${raw}" "${key}" ${key_slot_option} do_unmount -l "${key_mount}" do_mount "${mount_order}" fi -- cgit v1.2.3-70-g09d2