On Wed, 29 May 2019 at 12:07, Ondrej Kozina <okozina@xxxxxxxxxx> wrote:
On 5/29/19 11:56 AM, Dominic Raferd wrote:
> Thanks Guilhem, those links are very helpful but I have not solved it
> yet. Another change in the new cryptsetup is LUKS2 and use of the kernel
> keyring, so when run from a booted system dmcrypt_derived just returns a
> message that the source crypt device uses the keyring - I don't know how
> to obtain the actual key to use it in the creation of the second crypt
> device (or maybe it is impossible
Not sure why you need to reuse volume key put in dm-crypt exactly but if
you rely on the classical method, you may use --disable-keyring
parameter of cryptsetup. With this parameter cryptsetup uploads the key
in hexbyte representation as with LUKS1 format.
Thanks but I am using the standard Debian recipe (via Ubuntu alternate installer which uses anaconda) for drive encryption (LUKS + dm-crypt, with LVM on top) and this does not give any chance (AFAIK) to specify a special parameter for cryptsetup. Previously it used LUKS1 without keyring but now it uses LUKS2 with keyring. I want to keep the initial setup process as simple as possible (documented at https://www.timedicer.co.uk).
The idea of reusing key from first crypt device when creating second crypt device is that once the first crypt device is decrypted in initramfs (by user entering password) then the second one can be decrypted using the key from the first. (Both devices must be decrypted in initramfs because root LV is based on a VG which spans *both* devices - a scenario that might arise if the first device runs out of space.) This way there is no need to enter password twice or to cache it.
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
