Bryan Kadzban <cryptsetup@xxxxxxxxxxxxxxxxxxx> wrote: > Hmm. Indeed, askpass listens on several file descriptors, including > /dev/console and a specific named pipe. (Also on some sort of pipe or > socket or something to splashy, whatever that is, and another pipe or > socket or something to usplash, whatever *that* is. Presumably those > things are "infrastructure in Debian initramfs or boot scripts".) It > wouldn't be terribly difficult to make askpass listen on a socket > directly as well (although again, you'd really want to build in some > kind of encryption; sshd is probably easier). It listens on /lib/cryptsetup/passfifo. This one you are able to reach via ssh (dropbear in initramfs) and piping some passphrase into it in a more or less secure manner (i.e. network traffic crypted via ssh). I'm not aware of any generic socket it listens on. I personally wouldn't feel well with a generic network socket for generic use (independent on how far you personally would trust your local network) unless you'd use some sort of public/private key authentication over it (smartcard interaction or whatever). > Looks like the way to get this all to fit together is to pipe askpass > into cryptsetup, and move the select() multiplexing out of cryptsetup > itself. I suppose that works. This is what Debian's initramfs does. cryptcreate="/sbin/cryptsetup -T 1 ... cryptkeyscript="/lib/cryptsetup/askpass" $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- > Would it be possible to drop askpass into the cryptsetup package here? IMHO, the best way would be to provide askpass as cryptsetup/contrib content. regards Mario -- Oh Du mein Koenig ... Eine Netzgroesse schrieb mal sinngemaess: Du musst es so lesen wie ich es meine, nicht so wie ich es schreibe. Ich meine es natuerlich so, wie Du es schreibst 8--) O.G. Schwenk - de.comm.chatsystems _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt