From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Thu,  4 Nov 2010 09:45:29 +0100 (CET)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oA48jRNx005100
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
 for <dm-crypt@saout.de>; Thu, 4 Nov 2010 04:45:27 -0400
Received: from [10.36.4.62] (vpn1-4-62.ams2.redhat.com [10.36.4.62])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 oA48jQni004908
 for <dm-crypt@saout.de>; Thu, 4 Nov 2010 04:45:26 -0400
Message-ID: <4CD272A5.4080901@redhat.com>
Date: Thu, 04 Nov 2010 09:45:25 +0100
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <1288808772.11023.5.camel@acer> <20101103223431.GA20934@tansi.org>
In-Reply-To: <20101103223431.GA20934@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Feitian PKI donation to dm-crypt projetc
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 11/03/2010 11:34 PM, Arno Wagner wrote:

> The only interface for integrating external keys is by
> reading them from file or stdin and that is by desing
> to keep things simple.

I am maintaining it with the basic idea that libcrypsetup/cryptsetup
is simple tool to configure encrypted partitions using kernel crypto.
Nothing more, nothing less.

New api in libcrypsetup provides two trivial interfaces to get
passphrase or key - directly provided buffer (owned by application)
or keyfile.

For the compatibility reasons it fallbacks to read from
terminal/stdin but the focus is to move passphrase reading
into application responsibility.

IOW if anyone want to handle LUKS mapping in program
(imagine e.g. systemd - issue of these days) it can use
libcryptsetup and handle safe password reading dialog
in application.

(Using stdin in cryptsetup in scripts is problematic - you cannot
control and wipe all buffers. But this option will be always there.
I mean constructions like echo "password" | cryptsetup luksOpen ...)

Handling of various tokens and cards is always wrapper around
cryptsetup - (either scripts or binaries linked to libcryptsetup).

Maybe one day these scripts will be part of upstream tarball,
currently it is up to the distribution to add them.

Milan