Re: systemd-cryptsetup credentials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jan 15, 2025 at 2:31 PM David White <dr.white.nz@xxxxxxxxx> wrote:
>
> Hi there,
>
> Just want some help with setting credentials for systemd-cryptsetup@.service services.
>
> I have a crypttab file with the following:
>
> (I set a label for this volume with a udev rule as I have to use a label)
>

I am not sure I understand it. Label is a property of the filesystem;
how do you set it using "udev rule"?

> os_crypt  LABEL=os_luks  none    try-empty-password=1,luks,pkcs11-uri=auto,discard
>
> I read in the systemd-cryptsetup documentation that I should be able to pass credential "cryptsetup.pkcs11-pin"
>
> I couldn't figure out from the documentation how to do this.
>
> I assume I create a drop-in for systemd-cryptsetup@os_crypt.service
>
> and add the credential there:
>
> LoadCredential=cryptsetup.pkcs11-pin:/path/to/unix/socket
>
> Would that work?

For this to work you need some process listening on the
/path/to/unix/socket and answering the request.

> If not, how would I go about passing a pkcs11 pin to cryptsetup.
>

You can simply drop your credentials into any standard directory like
/etc/credstore. systemd-cryptsetup@xxx.service already has
ImportCredentials=cryptsetup.*.

The catch is that systemd-cryptsetup only tries the single generic
credential name. There is no provision for different pins (via
credentials) for different devices. As long as you only have one
token, it is OK. But now I wonder if it could be a reason for failing
to use different tokens to unlock different volumes concurrently.
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux