cryptsetup 2:1.7.3-4 / usr / share / doc / cryptsetup / README.keyctl

This file is indexed.

/usr/share/doc/cryptsetup/README.keyctl is in cryptsetup 2:1.7.3-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
decrypt_keyctl
==============

A passphrase caching script to be used in /etc/crypttab on Debian and Ubuntu.
When there are multiple cryptsetup (either plain or LUKS) volumes with the same
passphrase, it is an unnecessary task to input the passphrase more than once.

Just add this script as keyscript to your /etc/crypttab and it will cache the
passphrase of all cryptab entries with the same identifier.

Either copy decrypt_keyctl into the default search path for keyscripts from
cryptsetup /lib/cryptdisks/scripts/. So you can just write
keyscript=decrypt_keyctl in /etc/crypttab, or use a random path of your choice
and give the full path e.g keyscript=/sbin/decrypt_keyctl.


Requirements
------------

  - Debian cryptsetup package with /etc/crypttab handling and keyscript option
     - Tested with Debian Lenny, Squeeze and Sid
  - Installed and working keyutils package (keyctl)
     - Needs CONFIG_KEYS=y in your kernel configuration

What For?
---------

In old (pre 2.6.38) kernels, dm-crypt used to be single threaded. Thus every
dm-crypt mapping only used a single core for crypto operations. To use the full
power of your many-core processor it is was necessary to split the dm-crypt
device. For Linux software raid arrays the easiest segmentation was to just put
the dm-crypt layer below the software raid layer.

But with a 5 disk raid5 it is a rather daunting task to input the passphrase
five times. This is what this keyscripts solve for you.

Usage
-----

Best shown by example:
    - 5 disks
    - Linux software raid5

Layer:
      sda             sdb            sdc ... sde
    +-----------+   +-----------+
    | LUKS      |   | LUKS      |
    | +-------+ |   | +-------+ |
    | | RAID5 | |   | | RAID5 | |
    | | ...   | |   | | ...   | |

Crypttab Entries:

<target>    <source>    <keyfile>        <options>
sda_crypt   /dev/sda2   main_data_raid   luks,keyscript=decrypt_keyctl
sdb_crypt   /dev/sdb2   main_data_raid   luks,keyscript=decrypt_keyctl
...
sde_crypt   /dev/sde2   main_data_raid   luks,keyscript=decrypt_keyctl


How does it work
----------------

Crypttab Interface:
A keyscript is added to options including a keyfile definition as third
parameter in the crypttab file. The keyscript is called with the keyfile as the
first and only parameter. Additionally there are a few environment variables
set but currently are not used by this keyscript (man 5 crypttab for exact
description).

Keyscript:
Keyctl_keyscript uses the Linux kernel keyring facility to securly cache
passphrases between multiple invocations.
The keyfile parameter from cryptab is used to find the same passphrase between
multiple invocations.

Currently the cache timeout is 60 seconds and not configurable (please report a
bug if it is too low for you).


Problems
--------

    - Passphrase is piped between processes and could end up in unsecured
        memory, thus later swapped to disk!
        => Use of cryptoswap recommend!


Hints
-----

To remove all traces of this keyscript you may want to cleanup the keyring
completely with the following command afterwards:
    sudo keyctl clear @u

APT Browse - Built by Thomas Orozco.