This is still work in progress for me but I give my interim response below. Thanks for all the help.
On Wed, 29 May 2019 at 14:44, Guilhem Moulin <guilhem@xxxxxxxxxxx> wrote:
On Wed, 29 May 2019 at 12:26:12 +0100, Dominic Raferd wrote:
> Thanks but I am using the standard Debian recipe (via Ubuntu alternate
> installer which uses anaconda) for drive encryption (LUKS + dm-crypt, with
> LVM on top) and this does not give any chance (AFAIK) to specify a special
> parameter for cryptsetup.
That flag is to be passed to `open` (or `refresh`) at initramfs stage,
not `luksFormat` at d-i stage. I suppose it doesn't change much though,
as --disable-keyring, and --token-* flags can't be specified to Debian's
crypttab(5) at the moment.
You raise my hopes and then dash them ;-)
> The idea of reusing key from first crypt device when creating second crypt
> device is that once the first crypt device is decrypted in initramfs (by
> user entering password) then the second one can be decrypted using the key
> from the first.
You have a backup key slot on the device unlocked with decrypt_derived,
right? Otherwise you'll loose both devices if the source is lost or
damaged.
I am only testing now but what you say is wise.
As written in /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz
decrypt_derived doesn't work with LUKS2 on Linux ≥4.10, because the
volume key of the source device is offloaded to the kernel keyring thus
not readable by userspace. Since --disable-keyring can't be
persistently written into the LUKS header as of 2.1.0, nor can it be
toggled from crypttab(5), I guess that if you want to stick to
decrypt_derived your options are to use `luksFormat --type luks1` (or `convert --type luks1`);
unfortunately this doesn't work. I try it (booting from SystemRescueCD):
# cryptsetup convert /dev/sda5 --type luks1
WARNING!
========
This operation will convert /dev/sda5 to LUKS1 format.
Are you sure? (Type uppercase yes): YES
Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible.
...
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt