[projects/geninitrd] luks: look for key in /etc/cryptsetup-keys.d
atler
atler at pld-linux.org
Wed Sep 28 18:47:33 CEST 2022
commit a043f983b27fe3f8e697a1405462ce411ab28da8
Author: Jan Palus <atler at pld-linux.org>
Date: Wed Sep 28 17:46:24 2022 +0200
luks: look for key in /etc/cryptsetup-keys.d
if key is empty or "none" or "-" crypttab(5) instructs to look for key
in "/etc/cryptsetup-keys.d/<LUKSNAME>.key". don't fail if it's missing
though:
If the field is not present or is "none" or "-", a key file named after
the volume to unlock (i.e. the first column of the line), suffixed with
.key is automatically loaded from the /etc/cryptsetup-keys.d/ and
/run/cryptsetup-keys.d/ directories, if present.
mod-luks.sh | 33 +++++++++++++++++++--------------
1 file changed, 19 insertions(+), 14 deletions(-)
---
diff --git a/mod-luks.sh b/mod-luks.sh
index b6edde8..94b6499 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,26 +117,31 @@ luks_crypttab() {
local LUKSNAME="$1"
# copy from /etc/rc.d/init.d/cryptsetup
- local dst src key opt mode owner
+ local dst src key opt mode owner failsafe
while read dst src key opt; do
[ "$dst" != "$LUKSNAME" ] && continue
- if [ -n "$key" ] && ( [ "x$key" != "xnone" ] || [ "x$key" != "x-" ] ); then
- if test -e "$key" ; then
- mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
- owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
- if [ "$mode" != "------" ] && ! key_is_random "$key"; then
- die "INSECURE MODE FOR $key"
- fi
- if [ "$owner" != root ]; then
- die "INSECURE OWNER FOR $key"
- fi
- else
- die "Key file for $dst not found"
+ failsafe=""
+
+ if [ -z "$key" ] || [ "x$key" = "xnone" ] || [ "x$key" = "x-" ]; then
+ failsafe=1
+ key="/etc/cryptsetup-keys.d/$LUKSNAME.key"
+ fi
+
+ if test -e "$key" ; then
+ mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+ owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+ if [ "$mode" != "------" ] && ! key_is_random "$key"; then
+ die "INSECURE MODE FOR $key"
fi
- else
+ if [ "$owner" != root ]; then
+ die "INSECURE OWNER FOR $key"
+ fi
+ elif [ -n "$failsafe" ]; then
key=""
+ else
+ die "Key file for $dst not found"
fi
src=$(find_devname "$src")
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/ddf87c79b74022a30cec286191d31d186be184cf
More information about the pld-cvs-commit
mailing list