diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-25 11:10:29 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-12-17 19:59:24 +0100 |
| commit | b997d1115bf21b58dd876e02ce095bc483e3c875 (patch) | |
| tree | 7506621680c4de90499611f5967ab78390dd6824 /src/shared/cryptsetup-util.h | |
| parent | d3ad474f0c60a55057cca35ad5f62177bd395fe2 (diff) | |
| download | systemd-b997d1115bf21b58dd876e02ce095bc483e3c875.tar.gz | |
cryptsetup: read PKCS#11 key and token info from LUKS2 metadata
Optionally, embedd PKCS#11 token URI and encrypted key in LUKS2 JSON
metadata header. That way it becomes very easy to unlock properly set up
PKCS#11-enabled LUKS2 volumes, a simple /etc/crypttab line like the
following suffices:
mytest /dev/disk/by-partuuid/41c1df55-e628-4dbb-8492-bc69d81e172e - pkcs11-uri=auto
Such a line declares that unlocking via PKCS#11 shall be attempted, and
the token URI and the encrypted key shall be read from the LUKS2 header.
An external key file for the encrypted PKCS#11 key is hence no longer
necessary, nor is specifying the precise URI to use.
Diffstat (limited to 'src/shared/cryptsetup-util.h')
| -rw-r--r-- | src/shared/cryptsetup-util.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h index 26f5dd3c89..fa2d2f65f3 100644 --- a/src/shared/cryptsetup-util.h +++ b/src/shared/cryptsetup-util.h @@ -43,4 +43,8 @@ int cryptsetup_get_token_as_json(struct crypt_device *cd, int idx, const char *v int cryptsetup_get_keyslot_from_token(JsonVariant *v); int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v); +/* Stolen from cryptsetup's sources. We use to iterate through all tokens defined for a volume. Ideally, we'd + * be able to query this via some API, but there appears to be none currently in libcryptsetup. */ +#define LUKS2_TOKENS_MAX 32 + #endif |