diff options
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 4 | ||||
-rw-r--r-- | encrypt_remote_luks_header.hook | 8 | ||||
-rw-r--r-- | encrypt_remote_luks_header.install | 9 |
4 files changed, 17 insertions, 8 deletions
@@ -6,7 +6,7 @@ pkgbase = initcpio-encrypt-remote-luks-header license = GPL source = encrypt_remote_luks_header.hook source = encrypt_remote_luks_header.install - sha256sums = 4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff - sha256sums = cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae + sha256sums = 09754d96063c5161a8dc092ae8106ba91bdd9186e1d06ec0d0500bea3fd1c2cc + sha256sums = 8e4fc0daabfc2726b1bc613727d01cc25bb9864e72b6395cbe5a8d41b22717ef pkgname = initcpio-encrypt-remote-luks-header @@ -10,8 +10,8 @@ source=( encrypt_remote_luks_header.hook encrypt_remote_luks_header.install ) -sha256sums=('4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff' - 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae') +sha256sums=('09754d96063c5161a8dc092ae8106ba91bdd9186e1d06ec0d0500bea3fd1c2cc' + '8e4fc0daabfc2726b1bc613727d01cc25bb9864e72b6395cbe5a8d41b22717ef') package() { install -D -m 644 "${srcdir}"/encrypt_remote_luks_header.hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt_remote_luks_header diff --git a/encrypt_remote_luks_header.hook b/encrypt_remote_luks_header.hook index 819c4cf60fe0..77fc56200d18 100644 --- a/encrypt_remote_luks_header.hook +++ b/encrypt_remote_luks_header.hook @@ -49,11 +49,17 @@ EOF echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." } + local headerFlag=false for cryptopt in ${cryptoptions//,/ }; do case ${cryptopt} in allow-discards) cryptargs="${cryptargs} --allow-discards" ;; + header=*) + cryptargs="${cryptargs} --header ${cryptopt#header=}" + headerFlag=true + echo "Using detached header ${cryptopt#header=}" + ;; *) echo "Encryption option '${cryptopt}' not known, ignoring." >&2 ;; @@ -61,7 +67,7 @@ EOF done if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then - if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated dopassphrase=1 # If keyfile exists, try to use that diff --git a/encrypt_remote_luks_header.install b/encrypt_remote_luks_header.install index 38e5ddc57b11..f00ef5ad4cdd 100644 --- a/encrypt_remote_luks_header.install +++ b/encrypt_remote_luks_header.install @@ -25,9 +25,12 @@ build() { help() { cat <<HELPEOF This hook allows for an encrypted root device. Users should specify the device -to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, -where 'device' is the path to the raw device, and 'dmname' is the name given to -the device after unlocking, and will be available as /dev/mapper/dmname. +to be unlocked using 'cryptdevice=device:dmname:header=<path>' on the kernel +command line, where 'device' is the path to the raw device, and 'dmname' is the +name given to the device after unlocking, and will be available as +/dev/mapper/dmname. The 'header' option is optional; if present, the +<path> (in the initramfs) will be used as a detached LUKS header for the +cryptdevice. For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on the kernel cmdline, where 'device' represents the raw block device where the key |