diff --git a/README.md b/README.md
index 8b9feaa6..60b0a964 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Built RPMs are available in the [release section](https://github.com/Olf0/crypto
The necessary steps to prepare an SD-card (or any other removable storage) are described at [Together.Jolla.com](https://together.jolla.com/question/195850/guide-creating-partitions-on-sd-card-optionally-encrypted/).
Note that the "key"-files reside unencrypted on fixed, internal mass storage, as mobile devices usually have only a single user, who unlocks the whole device.
-Thus **crypto-sdcard** solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).
+Thus *crypto-sdcard* solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).
#### Features
* These configuration files do not alter, replace or delete any extant files.
@@ -19,30 +19,33 @@ Thus **crypto-sdcard** solely protects "data at rest" on SD-cards and other remo
* Support for Cryptsetup LUKS and Cryptsetup "plain".
* Note that SailfishOS just recently ([with v3.0.3](https://together.jolla.com/question/203846/changelog-303-hossa/#203846-cryptsetup)) switched to Cryptsetup **2**, and so did most (desktop) Linux distributions.
For interoperability with extant Linux installations and commonality with SailfishOS before v3.0.3, which provide Cryptsetup **1.x** (therefore only support LUKSv1 headers), [the "partitioning guide"](https://together.jolla.com/question/195850/guide-creating-partitions-on-sd-card-optionally-encrypted/#195850-43-dm-crypt-encrypted) aims at creating LUKSv1 headers.
- * As Cryptsetup reads the cryptography parameters from the LUKS header and Cryptsetup **2** supports both v1 and v2 headers, **crypto-sdcard** shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
- * For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), **crypto-sdcard** has to provide the cryptography parameters and uses "*-h sha1 -s 256 -c aes-xts-plain*" by default.
- While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in */etc/systemd/system/cryptosd-plain\@.service*
+ * As Cryptsetup LUKS reads the cryptography parameters from the LUKS header and Cryptsetup **2** supports both v1 and v2 headers, *crypto-sdcard* shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
+ * For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), *crypto-sdcard* has to provide the cryptography parameters and uses "*-h sha1 -s 256 -c aes-xts-plain*" by default.
+ While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in */etc/systemd/system/cryptosd-plain\@.service*.
+ * Since *crypto-sdcard 1.3.4*, the [parsing of "key"-files in "plain" mode is enhanced](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513) (as an experimental feature).
+ This change requires to [convert extant "key"-files for "plain" mode](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513#commitcomment-47340935).
+ New "plain" "containers" shall be [created slightly differently](https://github.com/Olf0/crypto-sdcard/commit/ba3ccce0c3573747fadd7b30e576159b15277513#commitcomment-47340935) now, in order to take advantage of this enhancement.
* Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after *udisks2.service* has started.
* Unmount before *udisks2.service* begins stopping, hence achieving a clean unmount.
* Also do not use SailfishOS' *udisksctl-user* script for unmounting (because it cannot work at the time ExecStop is executed), which is installed and used by SailfishOS since its release 3.2.1, and was also used by *crypto-sdcard* versions 1.1-1 to 1.3.1-5; see [details here](https://github.com/Olf0/crypto-sdcard/pull/28).
-* Since v1.3.4 the [Systemd EnvironmentFiles](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=) `mount-cryptosd-luks@.conf` and `mount-cryptosd-luks@crypto_luks_.conf` (in this order), respectively `mount-cryptosd-plain@.conf` and `mount-cryptosd-plain@crypto_plain_.conf`, in `/var/lib/environment/udisks2/` are evaluated for additional mount options, if they exist (one or both).
+* Since v1.3.4 the [Systemd EnvironmentFiles](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=) `mount-cryptosd-luks@.conf` and `mount-cryptosd-luks@crypto_luks_.conf` (in this order), respectively `mount-cryptosd-plain@.conf` and `mount-cryptosd-plain@crypto_plain_.conf`, in */var/lib/environment/udisks2/* are evaluated for additional mount options, if they exist (one or both).
Take a look at `ls /dev/mapper/crypto*` for the partition specific part (between the `@` and the `.conf` extension) of the file names for the partition specific configuration files.
These configuration files can be created by a system administrator (i.e., you), so if you want to add restricting mount options, see [here for details](https://github.com/Olf0/mount-sdcard/releases/tag/1.3.2).
* Ensure, that AlienDalvik (specifically *alien-service-manager.service*) begins starting after mounting succeeded, to allow for [android_storage on SD-card](https://together.jolla.com/question/203539/guide-externalising-android_storage-and-other-directories-files-to-sd-card/#203539-2-externalising-homenemoandroid_storage).
Even more importantly (i.e., also relevant for devices without "android_storage on SD-card") this also ensures, that unmounting occurs only after AlienDalvik has completely stopped.
Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
-* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks; after both succeeded, all mount operations are also started concurrently.
+* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting *udisks2.service*; after both succeeded, all mount operations are also started concurrently.
#### Version history
* v1.3
- Mounting is now restricted to users, who belong to the Unix-group **media_rw**, which is the case for the user *nemo* since some SailfishOS release before v3.2.1 and after v2.2.1 (unable to assess which one), or the *defaultuser* on freshly installed devices (since SailfishOS 3.4.0).
+ Mounting is now restricted to users, who belong to the Unix-group `media_rw`, which is the case for the user *nemo* since some SailfishOS release before v3.2.1 and after v2.2.1 (unable to assess which one), or the *defaultuser* on freshly installed devices (since SailfishOS 3.4.0).
Significantly altered versioning scheme, git tags naming and archive file (tarball) names, again: This time to accommodate for multiple release variants per version in order to serve different SailfishOS releases from one repository easily. For details see the [document "Release version format, RPM dependencies and Git workflow"](https://github.com/Olf0/crypto-sdcard/blob/master/RPM-dependencies_Git-workflow.md).
* v1.2
Significantly altered versioning scheme, git tags naming and archive file names. For details see the [release information](https://github.com/Olf0/crypto-sdcard/releases/tag/1.2.0).
* v1.1
Following the [changes in SFOS-next](https://git.sailfishos.org/mer-core/udisks2/commit/bcc6437ff35a3cc1e8c4777ee80d85a9c112e63e) to allow any interactive user (i.e., not just *nemo*) to mount an SD-card.
Hence v1.1 requires at least [SailfishOS 3.2.1](https://together.jolla.com/question/217840/changelog-321-nuuksio/#217840-udisks2).
- Note that mounting is still restricted to users, who belong to the Unix-group **system**, in contrast to e.g., [mount-sdcard](https://github.com/Olf0/mount-sdcard).
+ Note that mounting is still restricted to users, who belong to the Unix-group `system`, in contrast to e.g., [mount-sdcard](https://github.com/Olf0/mount-sdcard).
* v1.0
Due to another round of significant spec-file changes (completely removed SalifishOS dependencies and all %post scriptlets), increasing the version number again.
* v0.6
diff --git a/polkit-1/localauthority/50-local.d/69-cryptosd.pkla b/polkit-1/localauthority/50-local.d/69-cryptosd.pkla
index a2d220f5..10ff7e79 100644
--- a/polkit-1/localauthority/50-local.d/69-cryptosd.pkla
+++ b/polkit-1/localauthority/50-local.d/69-cryptosd.pkla
@@ -1,4 +1,4 @@
-[Allow nemo and Android mounting encrypted SD-cards]
+[Allow primary user (e.g., nemo, defaultuser) and AlienDalvik to mount encrypted SD-cards]
Identity=unix-group:media_rw
Action=org.freedesktop.udisks2.filesystem-mount-system
ResultAny=yes
diff --git a/rpm/crypto-sdcard.spec b/rpm/crypto-sdcard.spec
index 77a3da47..cddeaa66 100644
--- a/rpm/crypto-sdcard.spec
+++ b/rpm/crypto-sdcard.spec
@@ -1,6 +1,6 @@
Name: crypto-sdcard
Summary: Configuration files for unlocking and mounting encrypted SD-cards automatically
-Version: 1.3.4
+Version: 1.4.0
# Since v1.3.1, the release version consists of two or three fields, separated by a dot ("."):
# - The first field must contain a natural number greater than zero.
# This number may be prefixed by one of {alpha,beta,stable}, e.g. "alpha13".
diff --git a/systemd/system/cryptosd-luks@.service b/systemd/system/cryptosd-luks@.service
index 8587e8b4..61893a0e 100644
--- a/systemd/system/cryptosd-luks@.service
+++ b/systemd/system/cryptosd-luks@.service
@@ -1,7 +1,7 @@
[Unit]
Description=Open DM-Crypt LUKS on SD-card %I
Documentation=https://github.com/Olf0/crypto-sdcard
-After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
+After=systemd-udevd.service dev-%i.device
BindsTo=dev-%i.device
PartOf=cryptsetup.target
Conflicts=actdead.target factory-test.target
diff --git a/systemd/system/cryptosd-plain@.service b/systemd/system/cryptosd-plain@.service
index 0ce5a170..6dc37b75 100644
--- a/systemd/system/cryptosd-plain@.service
+++ b/systemd/system/cryptosd-plain@.service
@@ -1,7 +1,7 @@
[Unit]
Description=Open DM-Crypt "plain" on SD-card %I
Documentation=https://github.com/Olf0/crypto-sdcard
-After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
+After=systemd-udevd.service dev-%i.device
BindsTo=dev-%i.device
PartOf=cryptsetup.target
Conflicts=actdead.target factory-test.target
diff --git a/systemd/system/mount-cryptosd-luks@.service b/systemd/system/mount-cryptosd-luks@.service
index 0dc90e59..66b9b4ad 100644
--- a/systemd/system/mount-cryptosd-luks@.service
+++ b/systemd/system/mount-cryptosd-luks@.service
@@ -5,23 +5,23 @@ After=udisks2.service cryptosd-luks@%i.service cryptsetup.target dev-mapper-%i.d
BindsTo=cryptsetup.target dev-mapper-%i.device
Requires=udisks2.service cryptosd-luks@%i.service
# Allow for rescue.target and conflict with umount.target (see
-# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# man 7 systemd.special; needed explicitly for the new ExecStopPost
# statement as this a mounting unit, though not a mount unit):
Conflicts=umount.target actdead.target factory-test.target
# Ensure that this Unit is processed before alien-service-manager
# is started (and even more importantly that it is shut down, *after*
-# alien-service-manager is shut down), to allow for android_storage
-# on encrypted SD-card:
+# alien-service-manager is shut down), to allow for e.g. (and more),
+# android_storage on encrypted SD-card:
Before=alien-service-manager.service
[Service]
Type=oneshot
RemainAfterExit=yes
-# "udisksctl mount" (below) often fails when issued right after
+# "udisksctl mount" (below) sometimes fails when issued right after
# "udisksd" (per "udisks2.service") has finished starting, as the
# udisks object for an encrypted partition has not been created yet.
-# Hence giving udisksd a second to settle:
-ExecStartPre=/bin/sleep 1
+# Hence one might give udisksd a second to settle:
+# ExecStartPre=/bin/sleep 1
EnvironmentFile=-/var/lib/environment/udisks2/%p@.conf
EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
diff --git a/systemd/system/mount-cryptosd-plain@.service b/systemd/system/mount-cryptosd-plain@.service
index e994254e..7a023384 100644
--- a/systemd/system/mount-cryptosd-plain@.service
+++ b/systemd/system/mount-cryptosd-plain@.service
@@ -5,23 +5,23 @@ After=udisks2.service cryptosd-plain@%i.service cryptsetup.target dev-mapper-%i.
BindsTo=cryptsetup.target dev-mapper-%i.device
Requires=udisks2.service cryptosd-plain@%i.service
# Allow for rescue.target and conflict with umount.target (see
-# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# man 7 systemd.special; needed explicitly for the new ExecStopPost
# statement as this a mounting unit, though not a mount unit):
Conflicts=umount.target actdead.target factory-test.target
# Ensure that this Unit is processed before alien-service-manager
# is started (and even more importantly that it is shut down, *after*
-# alien-service-manager is shut down), to allow for android_storage
-# on encrypted SD-card:
+# alien-service-manager is shut down), to allow for e.g. (and more),
+# android_storage on encrypted SD-card:
Before=alien-service-manager.service
[Service]
Type=oneshot
RemainAfterExit=yes
-# "udisksctl mount" (below) often fails when issued right after
+# "udisksctl mount" (below) sometimes fails when issued right after
# "udisksd" (per "udisks2.service") has finished starting, as the
# udisks object for an encrypted partition has not been created yet.
-# Hence giving udisksd a second to settle:
-ExecStartPre=/bin/sleep 1
+# Hence one might give udisksd a second to settle:
+# ExecStartPre=/bin/sleep 1
EnvironmentFile=-/var/lib/environment/udisks2/%p@.conf
EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
diff --git a/udev/rules.d/96-cryptosd.rules b/udev/rules.d/96-cryptosd.rules
index 186482c3..bba8f0c1 100644
--- a/udev/rules.d/96-cryptosd.rules
+++ b/udev/rules.d/96-cryptosd.rules
@@ -1,14 +1,14 @@
# For DM-Crypt LUKS, match sda0 to mmcblk1 to both SUBSYSTEM=="block" and ENV{ID_FS_TYPE}=="crypto_LUKS"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_luks_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service crypto_luks_%E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", SYMLINK+="crypto_luks_%E{ID_FS_UUID}", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service crypto_luks_%E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'"
# For DM-Crypt "plain", also match sda0 to mmcblk1 to SUBSYSTEM=="block", but ensure (by ENV{ID_*}!= statements) that it appears to be unused space
# Two rules, one for partitions and a tighter one for whole disks:
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_plain_%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-plain@.service crypto_plain_%k", ENV{SYSTEMD_WANTS}="%c"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add", OPTIONS+="string_escape=none", SYMLINK+="crypto_plain_%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-plain@.service crypto_plain_%k", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-plain@.service crypto_plain_%k", ENV{SYSTEMD_WANTS}="'%c'"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-plain@.service crypto_plain_%k", ENV{SYSTEMD_WANTS}="'%c'"
# Carefully match resulting virtual node dm-* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_luks_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", OPTIONS+="string_escape=none", GROUP="disk", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_luks_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"
# Ditto for DM-Crypt "plain":
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_plain_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", OPTIONS+="string_escape=none", GROUP="disk", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-plain@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_plain_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-plain@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"