Skip to content
This repository has been archived by the owner on May 31, 2023. It is now read-only.

Add support for using a whole device as a keyfile #8

Merged
merged 1 commit into from
Aug 30, 2016

Conversation

giddie
Copy link
Contributor

@giddie giddie commented Jul 19, 2016

OK, this is what I have to solve #7. It fixes the situation where a device is passed as a parameter to --keyfile instead of the path to a file. For instance:

cryptomount (hd1,gpt2) -k (crypto0)

This can be used to offer two-factor authentication by first unlocking a LUKS container using a passphrase, then using the content of the unlocked container as a keyfile for the boot partition.

The --keyfile-offset and --keyfile-size parameters work with this option in the same way as for a regular keyfile.

One thing I've noticed: I seem unable to get the correct size of the key-device when it's a crypto device. I think this may be a bug in the luks module, but I haven't been able to track it down. The device size is correctly detected for a physical disk (e.g hd1,gpt2), but I get 2057 instead of 1 returned by grub_disk_get_size (keydisk) when using crypt0 as a key device. I can work around this easily in practice by providing the keyfile size as a parameter, but it's still unfortunate. I've spent quite some time trying to figure out what I might be missing with the size calculation, but for now I'm stumped. Incidentally, the size is returned correctly when using an older version of luks.module, but then the keyfile unlocking doesn't work :D

@giddie
Copy link
Contributor Author

giddie commented Aug 9, 2016

@johnlane bump?

@johnlane
Copy link
Owner

@giddie sorry I have been away. I will take a look...

@johnlane johnlane merged commit dbc9233 into johnlane:master Aug 30, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants