I am aware that this has been previously discussed in the following threads: http://www.saout.de/pipermail/dm-crypt/2013-May/003329.html http://www.saout.de/pipermail/dm-crypt/2015-April/004667.html I have been working on bringing PKCS#11 support to systemd's "cryptsetup" (that uses libcryptsetup). However, maintainers of systemd has suggested that cryptsetup may be a better place for this functionality. The relevant discussions on systemd are: https://github.com/systemd/systemd/pull/2776 https://github.com/systemd/systemd/pull/3007 In a comment to the last pull request I suggest adding pkcs#11 support in cryptsetup in a similar way as to how keyfiles are handled. In a way keyfiles and pkcs#11 data objects are quite similar. Both are accessiable via an URI (https://tools.ietf.org/html/rfc7512), both can be read depending on size or until EOF. The main problem is that pkcs#11 are accessed through a provider, rather than a filesystem. Providers are not included in the kernel and as such are less "accessible". I have tried to find a standard way of enumerating providers in UNIX systems but unfortunately there seems to be none. The closest seem to be p11-kit (https://p11-glue.freedesktop.org/p11-kit.html). I would suggest that the solution to this would be to accept a provider through arguments. What are your thoughts on this? _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
