This repository has been archived by the owner on May 31, 2023. It is now read-only.
Add support for using a whole device as a keyfile #8
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OK, this is what I have to solve #7. It fixes the situation where a device is passed as a parameter to
--keyfile
instead of the path to a file. For instance:This can be used to offer two-factor authentication by first unlocking a LUKS container using a passphrase, then using the content of the unlocked container as a keyfile for the boot partition.
The
--keyfile-offset
and--keyfile-size
parameters work with this option in the same way as for a regular keyfile.One thing I've noticed: I seem unable to get the correct size of the key-device when it's a crypto device. I think this may be a bug in the
luks
module, but I haven't been able to track it down. The device size is correctly detected for a physical disk (e.g hd1,gpt2), but I get 2057 instead of 1 returned bygrub_disk_get_size (keydisk)
when usingcrypt0
as a key device. I can work around this easily in practice by providing the keyfile size as a parameter, but it's still unfortunate. I've spent quite some time trying to figure out what I might be missing with the size calculation, but for now I'm stumped. Incidentally, the size is returned correctly when using an older version ofluks.module
, but then the keyfile unlocking doesn't work :D