File: CheckSystem.Doc

package info (click to toggle)
cryptsetup 2%3A1.0.4%2Bsvn26-1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 3,572 kB
  • ctags: 418
  • sloc: sh: 10,706; ansic: 3,187; makefile: 329; python: 90; perl: 40; sed: 16
file content (52 lines) | stat: -rw-r--r-- 2,301 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
This is the documentation for implementing a robust check system into
/etc/init.d/cryptdisks

checks marked with [default] are enabled per default.

basic ideas:
 - default checks are only necessary where one of OUR actions causes
   dataloss.
 - our checks must not cause any modifications to the underlying device.
 - it should be possible to deactivate all default checks with options
   in crypttab. (not sure whether the current situation reflects this)

The only default checks which apply to all situations are:
 * precheck: does the source device exist? [default]
 * check: does the target device contain a known filesystem [default]

Currently, three different branches exist:

### swap ###
 * precheck:
   - check for all known filesystems on the device, skip if any is found [default]
   - if none is found, check whether the source device is a swap partition.
     skip if any other fs is found. [default]
 * postcheck:
   - does the target device conatin any filesystem type other than 'swap'?
     fail in case. [default]
   - does the target device contain a swap filesystem [not default, corner
     cases exist. i.e. when a random key is used].
     use options "check=vol_id, checkargs=swap" for enabling this.

note to swap: You may destroy data whenever setting the 'swap' flag. The
              source partition, logical volume, whatever may contain data which
	      is lost after mkswap is run over it. Keep that in mind and double-
	      check whether the given source device is really the one you meant.

### plain dm-crypt ###
 * precheck:
   - check for all known filesystems on the device, skip if one is found [default]
 * postcheck:
   - check what the user requested us to check [filesystem, lvm, ...]
     + false: remove the dm-crypt device, retry as often as configured

note to plain dm-crypt: The postcheck (for filesystem or whatever) is the only
                        way to verify that the given password/key is correct.

### luks ###
 - luks and a /dev/*random key are not compatible. disable this combination.
 * precheck:
   - check whether the device is a LUKS partition, skip if untrue [default]
 * postcheck:
   - check what the user requested us to check [filesystem, lvm, ...]
     + false: just print a warning, the right password has been supplied