конфигурация для зашифрованных блочных устройств (Configuration for encrypted block devices)
AF_UNIX KEY FILES
If the key file path (as specified in the third column of
/etc/crypttab entries, see above) refers to an AF_UNIX stream
socket in the file system, the key is acquired by connecting to
the socket and reading the key from the connection. The
connection is made from an AF_UNIX socket name in the abstract
namespace, see unix(7) for details. The source socket name is
chosen according the following format:
NUL RANDOM "/cryptsetup/" VOLUME
In other words: a NUL byte (as required for abstract namespace
sockets), followed by a random string (consisting of alphanumeric
characters only), followed by the literal string "/cryptsetup/",
followed by the name of the volume to acquire they key for.
Example (for a volume "myvol"):
Example 1.
\0d7067f78d9827418/cryptsetup/myvol
Services listening on the AF_UNIX stream socket may query the
source socket name with getpeername(2), and use it to determine
which key to send, allowing a single listening socket to serve
keys for a multitude of volumes. If the PKCS#11 logic is used
(see above) the socket source name is picked in identical
fashion, except that the literal string "/cryptsetup-pkcs11/" is
used (similar for FIDO2: "/cryptsetup-fido2/" and TPM2:
"/cryptsetup-tpm2/"). This is done so that services providing key
material know that not a secret key is requested but an encrypted
key that will be decrypted via the PKCS#11/FIDO2/TPM2 logic to
acquire the final secret key.
