From fdc28f072ae269ab9c3f876ed452c6c3d5a769aa Mon Sep 17 00:00:00 2001 From: lemmarathon Date: Mon, 30 Apr 2018 20:51:50 -0400 Subject: Add support for keyfiles The "cryptkey" boot parameter enables keyfile decryption. By default, init will look for a keyfile named "/crypto_keyfile.bin". Another file may be specified like so: "cryptkey=/path/to/keyfile.bin". If keyfile decryption fails, init will fall back to passphrase mode. --- nlplug-findfs.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'nlplug-findfs.c') diff --git a/nlplug-findfs.c b/nlplug-findfs.c index 6614991..e037a93 100644 --- a/nlplug-findfs.c +++ b/nlplug-findfs.c @@ -309,6 +309,7 @@ static int spawn_active(struct spawn_manager *mgr) struct cryptdev { char *device; char *name; + char *key; char devnode[256]; }; @@ -594,6 +595,18 @@ static void *cryptsetup_thread(void *data) goto free_out; } + struct stat st; + if (!stat(c->crypt.data.key, &st)) { + pthread_mutex_lock(&c->crypt.mutex); + r = crypt_activate_by_keyfile(cd, c->crypt.data.name, + CRYPT_ANY_SLOT, + c->crypt.data.key, st.st_size, + c->crypt.flags); + pthread_mutex_unlock(&c->crypt.mutex); + if (r >= 0) + goto free_out; + } + while (passwd_tries > 0) { char pass[1024]; @@ -1173,6 +1186,7 @@ static void usage(int rc) " -c CRYPTDEVICE run cryptsetup luksOpen when CRYPTDEVICE is found\n" " -h show this help\n" " -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n" + " -k CRYPTKEY path to keyfile\n" " -m CRYPTNAME use CRYPTNAME name for crypto device mapping\n" " -o OFFSET cryptsetup payload offset\n" " -D allow discards on crypto device\n" @@ -1238,6 +1252,9 @@ int main(int argc, char *argv[]) case 'h': usage(0); break; + case 'k': + conf.crypt.data.key = EARGF(usage(1)); + break; case 'm': conf.crypt.data.name = EARGF(usage(1)); break; -- cgit v1.2.3