4 files changed, 17 insertions, 8 deletions

diff --git a/.SRCINFO b/.SRCINFO
index cf25b951641b..073fd7f30487 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -6,7 +6,7 @@ pkgbase = initcpio-encrypt-remote-luks-header
 	license = GPL
 	source = encrypt_remote_luks_header.hook
 	source = encrypt_remote_luks_header.install
-	sha256sums = 4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff
-	sha256sums = cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae
+	sha256sums = 09754d96063c5161a8dc092ae8106ba91bdd9186e1d06ec0d0500bea3fd1c2cc
+	sha256sums = 8e4fc0daabfc2726b1bc613727d01cc25bb9864e72b6395cbe5a8d41b22717ef
 
 pkgname = initcpio-encrypt-remote-luks-header
diff --git a/PKGBUILD b/PKGBUILD
index 0b3c51b896ef..415725f6dec5 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,8 +10,8 @@ source=(
   encrypt_remote_luks_header.hook
   encrypt_remote_luks_header.install
 )
-sha256sums=('4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff'
-            'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae')
+sha256sums=('09754d96063c5161a8dc092ae8106ba91bdd9186e1d06ec0d0500bea3fd1c2cc'
+            '8e4fc0daabfc2726b1bc613727d01cc25bb9864e72b6395cbe5a8d41b22717ef')
 
 package() {
   install -D -m 644 "${srcdir}"/encrypt_remote_luks_header.hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt_remote_luks_header
diff --git a/encrypt_remote_luks_header.hook b/encrypt_remote_luks_header.hook
index 819c4cf60fe0..77fc56200d18 100644
--- a/encrypt_remote_luks_header.hook
+++ b/encrypt_remote_luks_header.hook
@@ -49,11 +49,17 @@ EOF
         echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
     }
 
+    local headerFlag=false
     for cryptopt in ${cryptoptions//,/ }; do
         case ${cryptopt} in
             allow-discards)
                 cryptargs="${cryptargs} --allow-discards"
                 ;;
+            header=*)
+                cryptargs="${cryptargs} --header ${cryptopt#header=}"
+                headerFlag=true
+                echo "Using detached header ${cryptopt#header=}"
+                ;;
             *)
                 echo "Encryption option '${cryptopt}' not known, ignoring." >&2
                 ;;
@@ -61,7 +67,7 @@ EOF
     done
 
     if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
-        if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+        if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
             [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
             dopassphrase=1
             # If keyfile exists, try to use that
diff --git a/encrypt_remote_luks_header.install b/encrypt_remote_luks_header.install
index 38e5ddc57b11..f00ef5ad4cdd 100644
--- a/encrypt_remote_luks_header.install
+++ b/encrypt_remote_luks_header.install
@@ -25,9 +25,12 @@ build() {
 help() {
     cat <<HELPEOF
 This hook allows for an encrypted root device. Users should specify the device
-to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
-where 'device' is the path to the raw device, and 'dmname' is the name given to
-the device after unlocking, and will be available as /dev/mapper/dmname.
+to be unlocked using 'cryptdevice=device:dmname:header=<path>' on the kernel
+command line, where 'device' is the path to the raw device, and 'dmname' is the
+name given to the device after unlocking, and will be available as
+/dev/mapper/dmname. The 'header' option is optional; if present, the
+<path> (in the initramfs) will be used as a detached LUKS header for the
+cryptdevice.
 
 For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
 the kernel cmdline, where 'device' represents the raw block device where the key