One can already open a crypted / at startup using cryptroot= and cryptdm= options in the kernel
command line, thanks to mkinitfs's init script.
This patch enables opening OTHER crypted volumes at startup, and also using a crypted swap.
---
main/cryptsetup/APKBUILD | 19 ++-main/cryptsetup/dmcrypt.confd | 100 ++++++++++++main/cryptsetup/dmcrypt.initd | 351 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 466 insertions(+), 4 deletions(-)
create mode 100644 main/cryptsetup/dmcrypt.confd
create mode 100644 main/cryptsetup/dmcrypt.initd
diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD
index 96ddee1..5026770 100644
--- a/main/cryptsetup/APKBUILD+++ b/main/cryptsetup/APKBUILD
@@ -9,7 +9,10 @@ license="GPL"
depends=
makedepends="lvm2-dev openssl-dev popt-dev util-linux-dev !libiconv-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
-source="http://$pkgname.googlecode.com/files/$pkgname-$pkgver.tar.bz2"+source="http://$pkgname.googlecode.com/files/$pkgname-$pkgver.tar.bz2+ dmcrypt.initd+ dmcrypt.confd+ "build() {
cd "$srcdir"/$pkgname-$pkgver
@@ -26,6 +29,8 @@ package() {
cd "$srcdir"/$pkgname-$pkgver
make DESTDIR=$pkgdir install || return 1
rm "$pkgdir"/lib/*.la
+ install -Dm755 "$srcdir"/dmcrypt.initd "$pkgdir"/etc/init.d/dmcrypt+ install -Dm644 "$srcdir"/dmcrypt.confd "$pkgdir"/etc/conf.d/dmcrypt}
libs() {
@@ -34,6 +39,12 @@ libs() {
mv "$pkgdir"/lib "$subpkgdir"/
}
-md5sums="f374d11e3b0e7ca0f805756fd02e34ff cryptsetup-1.6.1.tar.bz2"-sha256sums="baf36e663c03eb6440482d91c486d61ed47ce5c9268ad04c18ca09082755149c cryptsetup-1.6.1.tar.bz2"-sha512sums="6d85720a33e05f2687f0ac9dd6730d025a14389091c06c047983b4875edc55db1b5c4878f7dee1720be192fa1ab06df2c7d0a0edfea0fb5bd787ee73a33302ca cryptsetup-1.6.1.tar.bz2"+md5sums="f374d11e3b0e7ca0f805756fd02e34ff cryptsetup-1.6.1.tar.bz2+00e86ec09734b4175815d2c62403e11c dmcrypt.initd+ebd6cb30eb012f685329ffd4f3ff3fdb dmcrypt.confd"+sha256sums="baf36e663c03eb6440482d91c486d61ed47ce5c9268ad04c18ca09082755149c cryptsetup-1.6.1.tar.bz2+2d9a7ce340fa4655b7c721998552e2bdfdec8d0f529b51f6e61e3f545c679782 dmcrypt.initd+02ed489b1a339e41a8721a07546bb9a33e13c61337666a6b3c3318f8e0dbd16f dmcrypt.confd"+sha512sums="6d85720a33e05f2687f0ac9dd6730d025a14389091c06c047983b4875edc55db1b5c4878f7dee1720be192fa1ab06df2c7d0a0edfea0fb5bd787ee73a33302ca cryptsetup-1.6.1.tar.bz2+6ad41cd8e0f538bafbf341613a58e5509c2b6c8bbfa9fb40f85952af6a872a5809b451278cf6ae6c635b426611a09ff840070bcea462fd4656ce3bce4e85c021 dmcrypt.initd+16f16feccda8173892953f945b1cf16ae42d121fee591f0cc786f89e7eaf6dac30b2cf7ff6687a183c7865d556d7c7478ea0335f64da9fc4d772b9b946561213 dmcrypt.confd"
diff --git a/main/cryptsetup/dmcrypt.confd b/main/cryptsetup/dmcrypt.confd
new file mode 100644
index 0000000..86a745a
--- /dev/null+++ b/main/cryptsetup/dmcrypt.confd
@@ -0,0 +1,100 @@
+# /etc/conf.d/dmcrypt+# Based on https://raw.github.com/udeved/pkgbuilds/master/scripts/openrc-plugins/cryptsetup/conf.d/1.0.6-dmcrypt.confd++# For people who run dmcrypt on top of some other layer (like raid),+# use rc_need to specify that requirement. See the runscript(8) man+# page for more information.++#--------------------+# Instructions+#--------------------++# Note regarding the syntax of this file. This file is *almost* sh,+# but each line is evaluated separately. Separate swaps/targets can be+# specified. The init-script which reads this file assumes that a+# swap= or target= line starts a new section, similar to lilo or grub+# configuration.++# Note when using gpg keys and /usr on a separate partition, you will+# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly+# and ensure that gpg has been compiled statically.+# See http://bugs.gentoo.org/90482 for more information.++# Note that the init-script which reads this file detects whether your+# partition is LUKS or not. No mkfs is run unless you specify a makefs+# option.++# Global options:+#----------------++# Max number of checks to perform (1 per second)+#dmcrypt_max_timeout=120++# Arguments:+#-----------+# target=<name> == Mapping name for partition.+# swap=<name> == Mapping name for swap partition.+# source='<dev>' == Real device for partition.+# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media.+# remdev='<dev>' == Device that will be assigned to removable media.+# gpg_options='<opts>' == Default are --quiet --decrypt+# options='<opts>' == cryptsetup, for LUKS you can only use --readonly+# loop_file='<file>' == Loopback file.+# pre_mount='cmds' == commands to execute before mounting partition.+# post_mount='cmds' == commands to execute after mounting partition.+#-----------+# Supported Modes+# gpg == decrypt and pipe key into cryptsetup.+# Note: new-line character must not be part of key.+# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'++#--------------------+# dm-crypt examples+#--------------------++## swap+# Swap partitions. These should come first so that no keys make their+# way into unencrypted swap.+# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom+# If no makefs is given then mkswap will be assumed+#swap=crypt-swap+#source='/dev/hda2'++## /home with passphrase+#target=crypt-home+#source='/dev/hda5'++## /home with regular keyfile+#target=crypt-home+#source='/dev/hda5'+#key='/full/path/to/homekey'++## /home with gpg protected key+#target=crypt-home+#source='/dev/hda5'+#key='/full/path/to/homekey:gpg'++## /home with regular keyfile on removable media(such as usb-stick)+#target=crypt-home+#source='/dev/hda5'+#key='/full/path/to/homekey'+#remdev='/dev/sda1'++##/home with gpg protected key on removable media(such as usb-stick)+#target=crypt-home+#source='/dev/hda5'+#key='/full/path/to/homekey:gpg'+#remdev='/dev/sda1'++##/tmp with regular keyfile+#target=crypt-tmp+#source='/dev/hda6'+#key='/full/path/to/tmpkey'+#pre_mount='/sbin/mkreiserfs -f -f ${dev}'+#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'++## Loopback file example+#mount='crypt-loop-home'+#source='/dev/loop0'+#loop_file='/mnt/crypt/home'+
diff --git a/main/cryptsetup/dmcrypt.initd b/main/cryptsetup/dmcrypt.initd
new file mode 100644
index 0000000..3ed42c0
--- /dev/null+++ b/main/cryptsetup/dmcrypt.initd
@@ -0,0 +1,351 @@
+#!/sbin/runscript+# Copyright 1999-2013 Gentoo Foundation+# Distributed under the terms of the GNU General Public License v2+# Based on https://raw.github.com/udeved/pkgbuilds/master/scripts/openrc-plugins/cryptsetup/init.d/1.5.1-dmcrypt.rc++depend() {+ before checkfs fsck+}++# We support multiple dmcrypt instances based on $SVCNAME+execute_hook="dm_crypt_execute_dmcrypt"+# XXX: Should we drop this ?+# execute_hook="dm_crypt_execute_localmount"+conf_file="/etc/conf.d/${SVCNAME}"++# Get splash helpers if available.+if [ -e /sbin/splash-functions.sh ] ; then+ . /sbin/splash-functions.sh+fi++# Setup mappings for an individual target/swap+# Note: This relies on variables localized in the main body below.+dm_crypt_execute_dmcrypt() {+ local dev ret mode foo++ if [ -n "${target}" ] ; then+ # let user set options, otherwise leave empty+ : ${options:=' '}+ elif [ -n "${swap}" ] ; then+ if cryptsetup isLuks ${source} 2>/dev/null ; then+ ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup."+ return+ fi+ target=${swap}+ # swap contents do not need to be preserved between boots, luks not required.+ # suspend2 users should have initramfs's init handling their swap partition either way.+ : ${options:='-c aes -h sha1 -d /dev/urandom'}+ : ${pre_mount:='mkswap ${dev}'}+ else+ return+ fi+ if [ "x${source#UUID}" != "x${source}" ]; then+ source=${source#UUID=}+ source="$(blkid -U ${source})"+ fi+ if [ -z "${source}" ] && [ ! -e "${source}" ] ; then+ ewarn "source \"${source}\" for ${target} missing, skipping..."+ return+ fi++ if [ -n "${loop_file}" ] ; then+ dev="/dev/mapper/${target}"+ ebegin " Setting up loop device ${source}"+ losetup ${source} ${loop_file}+ fi++ # cryptsetup:+ # luksOpen <device> <name> # <device> is $source+ # create <name> <device> # <name> is $target+ local arg1="create" arg2="${target}" arg3="${source}" luks=0++ cryptsetup isLuks ${source} 2>/dev/null && { arg1="luksOpen"; arg2="${source}"; arg3="${target}"; luks=1; }++ # Older versions reported:+ # ${target} is active:+ # Newer versions report:+ # ${target} is active[ and is in use.]+ if cryptsetup status ${target} | egrep -q ' is active' ; then+ einfo "dm-crypt mapping ${target} is already configured"+ return+ fi+ splash svc_input_begin ${SVCNAME} >/dev/null 2>&1++ # Handle keys+ if [ -n "${key}" ] ; then+ read_abort() {+ # some colors+ local ans savetty resettty+ [ -z "${NORMAL}" ] && eval $(eval_ecolors)+ einfon " $1? (${WARN}yes${NORMAL}/${GOOD}No${NORMAL}) "+ shift+ # This is ugly as s**t. But POSIX doesn't provide `read -t`, so+ # we end up having to implement our own crap with stty/etc...+ savetty=$(stty -g)+ resettty='stty ${savetty}; trap - EXIT HUP INT TERM'+ trap 'eval "${resettty}"' EXIT HUP INT TERM+ stty -icanon+ [ "${1}" = -t ] && stty min 0 time "$(( $2 * 10 ))"+ ans=$(dd count=1 bs=1 2>/dev/null) || ans=''+ eval "${resettty}"+ if [ -z "${ans}" ] ; then+ printf '\r'+ else+ echo+ fi+ case ${ans} in+ [yY]) return 0;;+ *) return 1;;+ esac+ }++ # Notes: sed not used to avoid case where /usr partition is encrypted.+ mode=${key/*:/} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg+ key=${key/:*/}+ case "${mode}" in+ gpg|reg)+ # handle key on removable device+ if [ -n "${remdev}" ] ; then+ # temp directory to mount removable device+ local mntrem="${RC_SVCDIR}/dm-crypt-remdev.$$"+ if [ ! -d "${mntrem}" ] ; then+ if ! mkdir -p "${mntrem}" ; then+ ewarn "${source} will not be decrypted ..."+ einfo "Reason: Unable to create temporary mount point '${mntrem}'"+ return+ fi+ fi+ i=0+ einfo "Please insert removable device for ${target}"+ while [ ${i} -lt ${dmcrypt_max_timeout:-120} ] ; do+ foo=""+ if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then+ # keyfile exists?+ if [ ! -e "${mntrem}${key}" ] ; then+ umount -n "${mntrem}"+ rmdir "${mntrem}"+ einfo "Cannot find ${key} on removable media."+ read_abort "Abort" ${read_timeout:--t 1} && return+ else+ key="${mntrem}${key}"+ break+ fi+ else+ [ -e "${remdev}" ] \+ && foo="mount failed" \+ || foo="mount source not found"+ fi+ : $((i += 1))+ read_abort "Stop waiting after $i attempts (${foo})" -t 1 && return+ done+ else # keyfile ! on removable device+ if [ ! -e "${key}" ] ; then+ ewarn "${source} will not be decrypted ..."+ einfo "Reason: keyfile ${key} does not exist."+ return+ fi+ fi+ ;;+ *)+ ewarn "${source} will not be decrypted ..."+ einfo "Reason: mode ${mode} is invalid."+ return+ ;;+ esac+ else+ mode=none+ fi+ ebegin " ${target} using: ${options} ${arg1} ${arg2} ${arg3}"+ if [ "${mode}" = "gpg" ] ; then+ : ${gpg_options:='-q -d'}+ # gpg available ?+ if type -p gpg >/dev/null ; then+ for i in 0 1 2 ; do+ # paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected.+ # save stdin stdout stderr "values"+ gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3}+ ret=$?+ [ ${ret} -eq 0 ] && break+ done+ eend ${ret} "failure running cryptsetup"+ else+ ewarn "${source} will not be decrypted ..."+ einfo "Reason: cannot find gpg application."+ einfo "You have to install app-crypt/gnupg first."+ einfo "If you have /usr on its own partition, try copying gpg to /bin ."+ fi+ else+ if [ "${mode}" = "reg" ] ; then+ cryptsetup ${options} -d ${key} ${arg1} ${arg2} ${arg3}+ ret=$?+ eend ${ret} "failure running cryptsetup"+ else+ cryptsetup ${options} ${arg1} ${arg2} ${arg3}+ ret=$?+ eend ${ret} "failure running cryptsetup"+ fi+ fi+ if [ -d "${mntrem}" ] ; then+ umount -n ${mntrem} 2>/dev/null >/dev/null+ rmdir ${mntrem} 2>/dev/null >/dev/null+ fi+ splash svc_input_end ${SVCNAME} >/dev/null 2>&1++ if [ ${ret} -ne 0 ] ; then+ cryptfs_status=1+ else+ if [ -n "${pre_mount}" ] ; then+ dev="/dev/mapper/${target}"+ ebegin " pre_mount: ${pre_mount}"+ eval "${pre_mount}" > /dev/null+ ewend $? || cryptfs_status=1+ fi+ fi+}++# Run any post_mount commands for an individual mount+#+# Note: This relies on variables localized in the main body below.+dm_crypt_execute_localmount() {+ local mount_point++ [ -z "${target}" ] && [ -z "${post_mount}" ] && return++ if ! cryptsetup status ${target} | egrep -q '\<active:' ; then+ ewarn "Skipping unmapped target ${target}"+ cryptfs_status=1+ return+ fi++ mount_point=$(grep "/dev/mapper/${target}" /proc/mounts | cut -d' ' -f2)+ if [ -z "${mount_point}" ] ; then+ ewarn "Failed to find mount point for ${target}, skipping"+ cryptfs_status=1+ fi++ if [ -n "${post_mount}" ] ; then+ ebegin "Running post_mount commands for target ${target}"+ eval "${post_mount}" >/dev/null+ eend $? || cryptfs_status=1+ fi+}++# Lookup optional bootparams+get_bootparam_val() {+ # We're given something like:+ # foo=bar=cow+ # Return the "bar=cow" part.+ case $1 in+ *\=*)+ local key=$(echo "$1" | cut -f1 -d=)+ echo "$1" | cut -c $(( ${#key} + 2 ))+ ;;+ esac+}++start() {+ local header=true cryptfs_status=0+ local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev++ local x+ for x in $(cat /proc/cmdline) ; do+ case "${x}" in+ key_timeout\=*)+ local KEY_TIMEOUT=$(get_bootparam_val "${x}")+ if [ ${KEY_TIMEOUT} -gt 0 ] ; then+ read_timeout="-t ${KEY_TIMEOUT}"+ fi+ ;;+ esac+ done++ while read -u 3 targetline ; do+ case ${targetline} in+ # skip comments and blank lines+ ""|"#"*) continue ;;+ # skip service-specific openrc configs #377927+ rc_*) continue ;;+ esac++ ${header} && ebegin "Setting up dm-crypt mappings"+ header=false++ # check for the start of a new target/swap+ case ${targetline} in+ target=*|swap=*)+ # If we have a target queued up, then execute it+ ${execute_hook}++ # Prepare for the next target/swap by resetting variables+ unset gpg_options key loop_file target options pre_mount post_mount source swap remdev+ ;;++ gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|source=*)+ if [ -z "${target}${swap}" ] ; then+ ewarn "Ignoring setting outside target/swap section: ${targetline}"+ continue+ fi+ ;;++ dmcrypt_max_timeout=*)+ # ignore global options+ continue+ ;;++ *)+ ewarn "Skipping invalid line in ${conf_file}: ${targetline}"+ ;;+ esac++ # Queue this setting for the next call to dm_crypt_execute_xxx+ eval "${targetline}"+ done 3< ${conf_file}++ # If we have a target queued up, then execute it+ ${execute_hook}++ ewend ${cryptfs_status} "Failed to setup dm-crypt devices"+}++stop() {+ local line header++ # Break down all mappings+ header=true+ egrep "^(target|swap)=" ${conf_file} | \+ while read line ; do+ ${header} && einfo "Removing dm-crypt mappings"+ header=false++ target= swap=+ eval ${line}++ [ -n "${swap}" ] && target=${swap}+ if [ -z "${target}" ] ; then+ ewarn "invalid line in ${conf_file}: ${line}"+ continue+ fi++ ebegin " ${target}"+ cryptsetup remove ${target}+ eend $?+ done++ # Break down loop devices+ header=true+ grep '^source=./dev/loop' ${conf_file} | \+ while read line ; do+ ${header} && einfo "Detaching dm-crypt loop devices"+ header=false++ source=+ eval ${line}++ ebegin " ${source}"+ losetup -d "${source}"+ eend $?+ done++ return 0+}+
--
1.8.3.1
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
[alpine-devel] [PATCH 2/2] main/cryptsetup: fix location of .pc file
Currently cryptsetup is installing its .pc file in /lib/pkgconfig; however, our
main/pkgconf is not looking in that folder. This patch moves the .pc file from
/lib/pkgconfig to /usr/lib/pkgconfig, as main/procps also does. (Alternatively,
we might instead patch main/pkgconf to include /lib/pkgconfig in its default
PKG_CONFIG_PATH.)
---
main/cryptsetup/APKBUILD | 2 ++
1 file changed, 2 insertions(+)
diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD
index 5026770..8bf65d7 100644
--- a/main/cryptsetup/APKBUILD+++ b/main/cryptsetup/APKBUILD
@@ -37,6 +37,8 @@ libs() {
pkgdesc="Cryptsetup shared library"
mkdir -p "$subpkgdir"
mv "$pkgdir"/lib "$subpkgdir"/
+ mkdir -p "$subpkgdir/usr/lib"+ mv "$subpkgdir/lib/pkgconfig" "$subpkgdir/usr/lib/"}
md5sums="f374d11e3b0e7ca0f805756fd02e34ff cryptsetup-1.6.1.tar.bz2
--
1.8.3.1
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Fri, Jun 28, 2013 at 08:42:14AM +0200, Natanael Copa wrote:
> On Thu, 27 Jun 2013 02:12:03 -0400> Dubiousjim <dubiousjim@gmail.com> wrote:> > > One can already open a crypted / at startup using cryptroot= and cryptdm= options in the kernel> > command line, thanks to mkinitfs's init script.> > > > This patch enables opening OTHER crypted volumes at startup, and also using a crypted swap.> > I agree that this is a feature we want. I am not convinced that we want> do it gentoo style though. I wonder if we should go for> a /etc/crypttab, debian/fedora style instead. What do you think?> > http://linux.die.net/man/5/crypttab
I've got no attachment to the Gentoo implementation. One con is it's not
that lightweight. The pros were that it's flexible and already designed
for OpenRC. I wanted such a thing for a system I was setting up
remotely, and that's what I found, so I thought I'd pass it on.
I'll have a look at the Fedora implementation instead, when I get a
chance. I used to use Arch, and they had something like that.
Sorry about the cleanup needed for the other patches. I didn't bump the
pkgrels because it seemed too presumptive! :-)
--
Dubiousjim
dubiousjim@gmail.com
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Thu, 27 Jun 2013 02:12:03 -0400
Dubiousjim <dubiousjim@gmail.com> wrote:
> One can already open a crypted / at startup using cryptroot= and cryptdm= options in the kernel> command line, thanks to mkinitfs's init script.> > This patch enables opening OTHER crypted volumes at startup, and also using a crypted swap.
I agree that this is a feature we want. I am not convinced that we want
do it gentoo style though. I wonder if we should go for
a /etc/crypttab, debian/fedora style instead. What do you think?
http://linux.die.net/man/5/crypttab
-nc
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
Re: [alpine-devel] [PATCH 2/2] main/cryptsetup: fix location of .pc file
On Thu, 27 Jun 2013 02:12:04 -0400
Dubiousjim <dubiousjim@gmail.com> wrote:
> Currently cryptsetup is installing its .pc file in /lib/pkgconfig; however, our
> main/pkgconf is not looking in that folder. This patch moves the .pc file from
> /lib/pkgconfig to /usr/lib/pkgconfig, as main/procps also does. (Alternatively,
> we might instead patch main/pkgconf to include /lib/pkgconfig in its default
> PKG_CONFIG_PATH.)
No, we don't want .pc files in /lib. Better to move it
to /usr/lib/pkgconfig like you do.
I changed it slightly so the .pc file ends up in the cryptsetup-dev
package instead of cryptsetup-libs:
diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD
index 96ddee1..1c4fe7b 100644
--- a/main/cryptsetup/APKBUILD+++ b/main/cryptsetup/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cryptsetup
pkgver=1.6.1
-pkgrel=0+pkgrel=1pkgdesc="Userspace setup tool for transparent encryption of block devices using
url="http://code.google.com/p/cryptsetup/"
arch="all"
@@ -25,7 +25,9 @@ build() {
package() {
cd "$srcdir"/$pkgname-$pkgver
make DESTDIR=$pkgdir install || return 1
- rm "$pkgdir"/lib/*.la+ rm "$pkgdir"/lib/*.la || return 1+ mkdir -p "$pkgdir"/usr/lib+ mv "$pkgdir"/lib/pkgconfig "$pkgdir"/usr/lib/}
libs() {
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Fri, 28 Jun 2013 04:52:41 -0400
Dubiousjim <dubiousjim@gmail.com> wrote:
> On Fri, Jun 28, 2013 at 08:42:14AM +0200, Natanael Copa wrote:> > On Thu, 27 Jun 2013 02:12:03 -0400> > Dubiousjim <dubiousjim@gmail.com> wrote:> > > > > One can already open a crypted / at startup using cryptroot= and cryptdm= options in the kernel> > > command line, thanks to mkinitfs's init script.> > > > > > This patch enables opening OTHER crypted volumes at startup, and also using a crypted swap.> > > > I agree that this is a feature we want. I am not convinced that we want> > do it gentoo style though. I wonder if we should go for> > a /etc/crypttab, debian/fedora style instead. What do you think?> > > > http://linux.die.net/man/5/crypttab> > I've got no attachment to the Gentoo implementation. One con is it's not> that lightweight. The pros were that it's flexible and already designed> for OpenRC. I wanted such a thing for a system I was setting up> remotely, and that's what I found, so I thought I'd pass it on.
One benefit is that we could let gentoo maintain it, in case we go this
route.
> I'll have a look at the Fedora implementation instead, when I get a> chance. I used to use Arch, and they had something like that.
I think thats what systemd uses so they are probably similar. I think
systemd style tries to be compatible with debians /etc/crypttab too.
googling on 'gentoo crypttab' gives some interesting results too.
specifically: https://bugs.freedesktop.org/show_bug.cgi?id=53147> Sorry about the cleanup needed for the other patches. I didn't bump the> pkgrels because it seemed too presumptive! :-)
np. sorry for being late at applying them.
-nc
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---