On Sun, October 1, 2006 18:29, Stephan Seitz said: > I used the script /usr/share/doc/cryptsetup/examples/gen-ssl-key to > generate a encrypted key, decrypted it and added it with luksAddKey. > Then I changed /etc/crypttab to the path of SSL encrypted key and added > the keyword ssl. But /etc/init.d/cryptdisks couldnât activate the > partition.
It should hopefully be able to do so if you use the option keyscript=/lib/cryptsetup/scripts/decrypt_ssl instead of just "ssl", more explanation below. > 1. The function decrypt_ssl is available in > /lib/cryptsetup/cryptdisks.functions as well as in > /lib/cryptsetup/scripts/decrypt_ssl. It seems, the first is used. > Both functions are different. > > 2. The function in /lib/cryptsetup/cryptdisks.functions begins like the > other one, but then asks for a second passphrase to decrypt the > previously decrypted key. This contradicts with gen-ssl-key which only > uses one passphrase. Iâve changed the function to only ask for one > passphrase like in /lib/cryptsetup/scripts/decrypt_ssl (see patch). Actually the key decryption stuff is in a bit of flux. The keyscript option is a recent addition to the /etc/crypttab file, and it is going to deprecate both the ssl and gpg options. Now, there is a decrypt_ssl script already in /lib/cryptsetup/scripts/, but it uses a different method compared to what the old "ssl" option did (the old method wasn't very good btw). I've already committed some changes to cryptsetup SVN repo which adds a decrypt_old_ssl script (which works like the old "ssl" option) in addition to decrypt_ssl. For now, I'd suggest you either: wait for the new release, help test the SVN version (once I've had time to do some more work on it), or use the keyscript option in /etc/crypttab instead of the "ssl" option. > 3. Neither decrypt_ssl (nor decrypt_gpg) are protecting the passphrase > against spaces by using quotation marks (see patch). I'll make sure its fixed in the /lib/cryptsetup/scripts/... > 4. You are using âread -sâ to read the passphrase from the command > line > (silent mode), but the option -s only works with bash. If /bin/sh is > linked to dash, it doesnât work. I had to change /etc/init./cryptdisks > to > use /bin/bash instead of /bin/sh. I'll take a look at it > 5. Now it works. The next step would be solving the problem how a normal > user could use cryptsetup to activiate a encrypted partition or an > encrypted removable device. I think Gnome already has support for mounting luks-encrypted removable storage (e.g. USB keys). The gnome-volume-manager changelog suggests its been available since the beginning of this year. -- David Härdeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]