On 12/18/2017 10:30 AM, Ondrej Kozina wrote:
On 12/14/2017 08:22 PM, Andrius Štikonas wrote:
So if I understand correctly it will never ask for passphrase in LUKS1
case but it will always ask in LUKS2 case.
Not always for every LUKS2 device. It will always ask for a passphrase
if the volume key is passed via kernel keyring (hence the cryptsetup
status cmd for detection).
LUKS1 devices doesn't use kernel keyring for volume key (backward
compatibility)
LUKS2 devices use kernel keyring for volume key by default, but user may
have overridden the default by --disable-keyring option during
cryptsetup open command.
And don't forget not every kernel has dm-crypt kernel keyring support
available. We detect dm-crypt version runtime so you may encounter LUKS2
devices with hexbyte key in dm table directly, especially in enterprise
or more conservative distributions. I'd recommend to stick with
cryptsetup status cmd for detection though.
O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt