Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

questions about cryptsetup modifications #9

Open
jotrocken opened this issue Apr 20, 2020 · 1 comment
Open

questions about cryptsetup modifications #9

jotrocken opened this issue Apr 20, 2020 · 1 comment

Comments

@jotrocken
Copy link

sorry for some questions about the script, i dont have much experience with codes on github.
First of all i'm not sure about the changes in the crypttab file. Before installing the script this file looked as this:

# old version without https-keyscript sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard

How to implement step 5? Is it something like this?

# new WITH https-keyscript
sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard,keyscript=wget_or_ask,initramfs somepassphrase:https://example.org/encrypted_keyfile

Is there something missing before "somepassphrase:...", e.g. a field name like "key file" or something?

Further i have a question about the fall back to ask for a pw if the keyfile is not found. Is the pw "somepassphrase" meant or another pw from another luks keyslot? Must "somepassphrase" be changed to the pw i would like to use or is it a field or option name?

I use the keyscript not on a server, but on my home desktop computer which is connected to the internet by wifi. Is there already on boot up a wifi connection so the script can query by https?

Thanks for helping a beginner :)
@stupidpupil
Copy link
Owner

stupidpupil commented Apr 26, 2020
edited
Loading

Apologies for the slow response, and possibly not being that helpful...

Step 5

What you've written for Step 5 looks right. The fields are separated in the file by spaces or tabs, and the last entry is the "keyfile" field - no need for a field name.

The somepassphrase bit is the passphrase that you used in Step 1 to encrypt the keyfile. The script downloads the encrypted keyfile, decrypts it and then uses the decrypted keyfile to unlock the LUKS volume.

I should really rework some of this to be handled by a helper script, walking users through the process! Will think how to do this.

Fallback

This isn't somepassphrase, it is whatever you have in the LUKS keyslots for that drive.

Wifi

The short answer is: I don't know, but I bet it's a bit tricky compared to wired connections.

This person seems to have managed it but I do wonder if there might be better approach.

It doesn't help, to be honest, that how I'm currently handling network setup is a bit of a mess that I need to revisit and do "the right way".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stupidpupil @jotrocken