From 12c346d8e82dbe9a97a4666b1f9e2771bb54207c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 22 Sep 2023 18:27:10 +0200 Subject: [PATCH] man/crypttab: do not recommend using /dev/sdX symlinks in /etc/crypttab This is just wrong. Quering the symlink names with udevadm is not the easiest, but I think that's the safest way for a documented example. --- TODO | 4 ++++ man/fido2-crypttab.sh | 16 ++++++++++------ man/tpm2-crypttab.sh | 16 ++++++++++------ man/yubikey-crypttab.sh | 16 ++++++++++------ 4 files changed, 34 insertions(+), 18 deletions(-) diff --git a/TODO b/TODO index 8cff6379af..a47698f587 100644 --- a/TODO +++ b/TODO @@ -386,6 +386,10 @@ Features: * udevd: extend memory pressure logic: also kill any idle worker processes +* udevadm: to make symlink querying with udevadm nicer: + - do not enable the pager for queries like 'udevadm info -q -r symlink' + - add mode with newlines instead of spaces (for grep)? + * SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed, localed, oomd, timedated. diff --git a/man/fido2-crypttab.sh b/man/fido2-crypttab.sh index fe7351520a..c29c0245f4 100644 --- a/man/fido2-crypttab.sh +++ b/man/fido2-crypttab.sh @@ -8,13 +8,17 @@ sudo systemd-cryptenroll --fido2-device=auto /dev/sdXn sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto # If that worked, let's now add the same line persistently to /etc/crypttab, -# for the future. -sudo bash -c 'echo "mytest /dev/sdXn - fido2-device=auto" >>/etc/crypttab' +# for the future. We don't want to use the (unstable) /dev/sdX name, so let's +# figure out a stable link: +udevadm info -q -r symlink /dev/sdXn -# Depending on your distribution and encryption setup, you may need -# to manually regenerate your initramfs to be able to use -# a FIDO2-Device to unlock the partition during early boot. -# More information at https://unix.stackexchange.com/a/705809 +# Now add the line using the by-uuid symlink to /etc/crypttab: +sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - fido2-device=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need to manually +# regenerate your initramfs to be able to use a FIDO2 device to unlock the +# partition during early boot. +# More information at https://unix.stackexchange.com/a/705809. # On Fedora based systems: sudo dracut --force # On Debian based systems: diff --git a/man/tpm2-crypttab.sh b/man/tpm2-crypttab.sh index f5f6e3a43d..1b7074a0de 100644 --- a/man/tpm2-crypttab.sh +++ b/man/tpm2-crypttab.sh @@ -8,13 +8,17 @@ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto # If that worked, let's now add the same line persistently to /etc/crypttab, -# for the future. -sudo bash -c 'echo "mytest /dev/sdXn - tpm2-device=auto" >>/etc/crypttab' +# for the future. We don't want to use the (unstable) /dev/sdX name, so let's +# figure out a stable link: +udevadm info -q -r symlink /dev/sdXn -# Depending on your distribution and encryption setup, you may need -# to manually regenerate your initramfs to be able to use -# a TPM2 security chip to unlock the partition during early boot. -# More information at https://unix.stackexchange.com/a/705809 +# Now add the line using the by-uuid symlink to /etc/crypttab: +sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - tpm2-device=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need to manually +# regenerate your initramfs to be able to use a TPM2 security chip to unlock +# the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809. # On Fedora based systems: sudo dracut --force # On Debian based systems: diff --git a/man/yubikey-crypttab.sh b/man/yubikey-crypttab.sh index f50a349631..d355afbd1b 100644 --- a/man/yubikey-crypttab.sh +++ b/man/yubikey-crypttab.sh @@ -24,13 +24,17 @@ sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto # If that worked, let's now add the same line persistently to /etc/crypttab, -# for the future. -sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >>/etc/crypttab' +# for the future. We don't want to use the (unstable) /dev/sdX name, so let's +# figure out a stable link: +udevadm info -q -r symlink /dev/sdXn -# Depending on your distribution and encryption setup, you may need -# to manually regenerate your initramfs to be able to use a -# Yubikey / PKCS#11 Token to unlock the partition during early boot. -# More information at https://unix.stackexchange.com/a/705809 +# Now add the line using the by-uuid symlink to /etc/crypttab: +sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - pkcs11-uri=auto" >>/etc/crypttab' + +# Depending on your distribution and encryption setup, you may need to manually +# regenerate your initramfs to be able to use a Yubikey / PKCS#11 token to +# unlock the partition during early boot. +# More information at https://unix.stackexchange.com/a/705809. # On Fedora based systems: sudo dracut --force # On Debian based systems: