Merge pull request #129 from Olf0/qcrypto

Pull for v1.4.0

README.md

@@ -10,7 +10,7 @@ Built RPMs are available in the [release section](https://github.com/Olf0/crypto
 
 The necessary steps to prepare an SD-card (or any other removable storage) are described at [Together.Jolla.com](https://together.jolla.com/question/195850/guide-creating-partitions-on-sd-card-optionally-encrypted/).<br />
 Note that the "key"-files reside unencrypted on fixed, internal mass storage, as mobile devices usually have only a single user, who unlocks the whole device.<br />
-Thus **crypto-sdcard** solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).
+Thus *crypto-sdcard* solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).
 
 #### Features
 * These configuration files do not alter, replace or delete any extant files.
@@ -19,30 +19,33 @@ Thus **crypto-sdcard** solely protects "data at rest" on SD-cards and other remo
 * Support for Cryptsetup LUKS and Cryptsetup "plain".
   * Note that SailfishOS just recently ([with v3.0.3](https://together.jolla.com/question/203846/changelog-303-hossa/#203846-cryptsetup)) switched to Cryptsetup **2**, and so did most (desktop) Linux distributions.
     For interoperability with extant Linux installations and commonality with SailfishOS before v3.0.3, which provide Cryptsetup **1.x** (therefore only support LUKSv1 headers), [the "partitioning  guide"](https://together.jolla.com/question/195850/guide-creating-partitions-on-sd-card-optionally-encrypted/#195850-43-dm-crypt-encrypted) aims at creating LUKSv1 headers.
-  * As Cryptsetup reads the cryptography parameters from the LUKS header and Cryptsetup **2** supports both v1 and v2 headers, **crypto-sdcard** shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
-  * For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), **crypto-sdcard** has to provide the cryptography parameters and uses "*-h sha1 -s 256 -c aes-xts-plain*" by default.
-    While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in */etc/systemd/system/cryptosd-plain\@.service*
+  * As Cryptsetup LUKS reads the cryptography parameters from the LUKS header and Cryptsetup **2** supports both v1 and v2 headers, *crypto-sdcard* shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
+  * For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), *crypto-sdcard* has to provide the cryptography parameters and uses "*-h sha1 -s 256 -c aes-xts-plain*" by default.
+    While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in */etc/systemd/system/cryptosd-plain\@.service*.
+  * Since *crypto-sdcard 1.3.4*, the [parsing of "key"-files in "plain" mode is enhanced](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513) (as an experimental feature).<br />
+    This change requires to [convert extant "key"-files for "plain" mode](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513#commitcomment-47340935).<br />
+    New "plain" "containers" shall be [created slightly differently](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513#commitcomment-47340935) now, in order to take advantage of this enhancement.
 * Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after *udisks2.service* has started.
 * Unmount before *udisks2.service* begins stopping, hence achieving a clean unmount.
 * Also do not use SailfishOS' *udisksctl-user* script for unmounting (because it cannot work at the time ExecStop is executed), which is installed and used by SailfishOS since its release 3.2.1, and was also used by *crypto-sdcard* versions 1.1-1 to 1.3.1-5; see [details here](https://github.com/Olf0/crypto-sdcard/pull/28).
-* Since v1.3.4 the [Systemd EnvironmentFiles](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=) `[email protected]` and `mount-cryptosd-luks@crypto_luks_<UUID>.conf` (in this order), respectively `[email protected]` and `mount-cryptosd-plain@crypto_plain_<device-name>.conf`, in `/var/lib/environment/udisks2/` are evaluated for additional mount options, if they exist (one or both).
+* Since v1.3.4 the [Systemd EnvironmentFiles](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=) `[email protected]` and `mount-cryptosd-luks@crypto_luks_<UUID>.conf` (in this order), respectively `[email protected]` and `mount-cryptosd-plain@crypto_plain_<device-name>.conf`, in */var/lib/environment/udisks2/* are evaluated for additional mount options, if they exist (one or both).
   Take a look at `ls /dev/mapper/crypto*` for the partition specific part (between the `@` and the `.conf` extension) of the file names for the partition specific configuration files.<br />
   These configuration files can be created by a system administrator (i.e., you), so if you want to add restricting mount options, see [here for details](https://github.com/Olf0/mount-sdcard/releases/tag/1.3.2).
 * Ensure, that AlienDalvik (specifically *alien-service-manager.service*) begins starting after mounting succeeded, to allow for [android_storage on SD-card](https://together.jolla.com/question/203539/guide-externalising-android_storage-and-other-directories-files-to-sd-card/#203539-2-externalising-homenemoandroid_storage).<br />
   Even more importantly (i.e., also relevant for devices without "android_storage on SD-card") this also ensures, that unmounting occurs only after AlienDalvik has completely stopped.<br />
   Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
-* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks; after both succeeded, all mount operations are also started concurrently.
+* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting *udisks2.service*; after both succeeded, all mount operations are also started concurrently.
 
 #### Version history
 * v1.3<br />
-  Mounting is now restricted to users, who belong to the Unix-group **media_rw**, which is the case for the user *nemo* since some SailfishOS release before v3.2.1 and after v2.2.1 (unable to assess which one), or the *defaultuser* on freshly installed devices (since SailfishOS 3.4.0).<br />
+  Mounting is now restricted to users, who belong to the Unix-group `media_rw`, which is the case for the user *nemo* since some SailfishOS release before v3.2.1 and after v2.2.1 (unable to assess which one), or the *defaultuser* on freshly installed devices (since SailfishOS 3.4.0).<br />
   Significantly altered versioning scheme, git tags naming and archive file (tarball) names, again: This time to accommodate for multiple release variants per version in order to serve different SailfishOS releases from one repository easily.  For details see the [document "Release version format, RPM dependencies and Git workflow"](https://github.com/Olf0/crypto-sdcard/blob/master/RPM-dependencies_Git-workflow.md).
 * v1.2<br />
   Significantly altered versioning scheme, git tags naming and archive file names.  For details see the [release information](https://github.com/Olf0/crypto-sdcard/releases/tag/1.2.0).
 * v1.1<br />
   Following the [changes in SFOS-next](https://git.sailfishos.org/mer-core/udisks2/commit/bcc6437ff35a3cc1e8c4777ee80d85a9c112e63e) to allow any interactive user (i.e., not just *nemo*) to mount an SD-card.
   Hence v1.1 requires at least [SailfishOS 3.2.1](https://together.jolla.com/question/217840/changelog-321-nuuksio/#217840-udisks2).<br />
-  Note that mounting is still restricted to users, who belong to the Unix-group **system**, in contrast to e.g., [mount-sdcard](https://github.com/Olf0/mount-sdcard).
+  Note that mounting is still restricted to users, who belong to the Unix-group `system`, in contrast to e.g., [mount-sdcard](https://github.com/Olf0/mount-sdcard).
 * v1.0<br />
   Due to another round of significant spec-file changes (completely removed SalifishOS dependencies and all %post scriptlets), increasing the version number again.
 * v0.6<br />

polkit-1/localauthority/50-local.d/69-cryptosd.pkla

@@ -1,4 +1,4 @@
-[Allow nemo and Android mounting encrypted SD-cards]
+[Allow primary user (e.g., nemo, defaultuser) and AlienDalvik to mount encrypted SD-cards]
 Identity=unix-group:media_rw
 Action=org.freedesktop.udisks2.filesystem-mount-system
 ResultAny=yes

rpm/crypto-sdcard.spec

@@ -1,6 +1,6 @@
 Name:          crypto-sdcard
 Summary:       Configuration files for unlocking and mounting encrypted SD-cards automatically
-Version:       1.3.4
+Version:       1.4.0
 # Since v1.3.1, the release version consists of two or three fields, separated by a dot ("."):
 # - The first field must contain a natural number greater than zero.
 #   This number may be prefixed by one of {alpha,beta,stable}, e.g. "alpha13".

systemd/system/cryptosd-luks@.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Open DM-Crypt LUKS on SD-card %I
 Documentation=https://github.com/Olf0/crypto-sdcard
-After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
+After=systemd-udevd.service dev-%i.device
 BindsTo=dev-%i.device
 PartOf=cryptsetup.target
 Conflicts=actdead.target factory-test.target

systemd/system/cryptosd-plain@.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Open DM-Crypt "plain" on SD-card %I
 Documentation=https://github.com/Olf0/crypto-sdcard
-After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
+After=systemd-udevd.service dev-%i.device
 BindsTo=dev-%i.device
 PartOf=cryptsetup.target
 Conflicts=actdead.target factory-test.target

systemd/system/mount-cryptosd-luks@.service

@@ -5,23 +5,23 @@ After=udisks2.service cryptosd-luks@%i.service cryptsetup.target dev-mapper-%i.d
 BindsTo=cryptsetup.target dev-mapper-%i.device
 Requires=udisks2.service cryptosd-luks@%i.service
 # Allow for rescue.target and conflict with umount.target (see
-# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# man 7 systemd.special; needed explicitly for the new ExecStopPost
 # statement as this a mounting unit, though not a mount unit):
 Conflicts=umount.target actdead.target factory-test.target
 # Ensure that this Unit is processed before alien-service-manager
 # is started (and even more importantly that it is shut down, *after*
-# alien-service-manager is shut down), to allow for android_storage
-# on encrypted SD-card:
+# alien-service-manager is shut down), to allow for e.g. (and more),
+# android_storage on encrypted SD-card:
 Before=alien-service-manager.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-# "udisksctl mount" (below) often fails when issued right after
+# "udisksctl mount" (below) sometimes fails when issued right after
 # "udisksd" (per "udisks2.service") has finished starting, as the
 # udisks object for an encrypted partition has not been created yet.
-# Hence giving udisksd a second to settle:
-ExecStartPre=/bin/sleep 1
+# Hence one might give udisksd a second to settle:
+# ExecStartPre=/bin/sleep 1
 EnvironmentFile=-/var/lib/environment/udisks2/%[email protected]
 EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
 ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I

systemd/system/mount-cryptosd-plain@.service

@@ -5,23 +5,23 @@ After=udisks2.service cryptosd-plain@%i.service cryptsetup.target dev-mapper-%i.
 BindsTo=cryptsetup.target dev-mapper-%i.device
 Requires=udisks2.service cryptosd-plain@%i.service
 # Allow for rescue.target and conflict with umount.target (see
-# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# man 7 systemd.special; needed explicitly for the new ExecStopPost
 # statement as this a mounting unit, though not a mount unit):
 Conflicts=umount.target actdead.target factory-test.target
 # Ensure that this Unit is processed before alien-service-manager
 # is started (and even more importantly that it is shut down, *after*
-# alien-service-manager is shut down), to allow for android_storage
-# on encrypted SD-card:
+# alien-service-manager is shut down), to allow for e.g. (and more),
+# android_storage on encrypted SD-card:
 Before=alien-service-manager.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-# "udisksctl mount" (below) often fails when issued right after
+# "udisksctl mount" (below) sometimes fails when issued right after
 # "udisksd" (per "udisks2.service") has finished starting, as the
 # udisks object for an encrypted partition has not been created yet.
-# Hence giving udisksd a second to settle:
-ExecStartPre=/bin/sleep 1
+# Hence one might give udisksd a second to settle:
+# ExecStartPre=/bin/sleep 1
 EnvironmentFile=-/var/lib/environment/udisks2/%[email protected]
 EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
 ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I

udev/rules.d/96-cryptosd.rules

@@ -1,14 +1,14 @@
 # For DM-Crypt LUKS, match sda0 to mmcblk1 to both SUBSYSTEM=="block" and ENV{ID_FS_TYPE}=="crypto_LUKS"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_luks_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_luks_%E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", SYMLINK+="crypto_luks_%E{ID_FS_UUID}", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_luks_%E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'"
 
 # For DM-Crypt "plain", also match sda0 to mmcblk1 to SUBSYSTEM=="block", but ensure (by ENV{ID_*}!= statements) that it appears to be unused space
 # Two rules, one for partitions and a tighter one for whole disks:
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_plain_%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_plain_%k", ENV{SYSTEMD_WANTS}="%c"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_plain_%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_plain_%k", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_plain_%k", ENV{SYSTEMD_WANTS}="'%c'"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] crypto_plain_%k", ENV{SYSTEMD_WANTS}="'%c'"
 
 # Carefully match resulting virtual node dm-* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_luks_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", OPTIONS+="string_escape=none", GROUP="disk", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_luks_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"
 
 # Ditto for DM-Crypt "plain":
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_plain_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", OPTIONS+="string_escape=none", GROUP="disk", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_plain_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"