> Secondly, there's the issue of passphrase hashing. I agree with the > decision to cut it out of losetup, but where do we put it now? Andries > has suggested an external program, but this isn't as simple as it sounds. > To get this working would require a new way of reading the passphrase, > since the hashed passphrase might contain a newline, or a null. Maybe > change the semantics of the -p option, so that: > > losetup -e aes /dev/loop/10 /home/sluskyb/testloop > > will work when I give it the passphrase "foobar", but also > > pwhash -h sha1 |losetup -e aes -k 128 -p 0 /dev/loop/0 \ > /dev/discs/disc0/part3 > > will read exactly 16 bytes of (probably) non-printable chars and use > that as the key. I've implemented an external PAM module (pam_losetup) that hashes a passphrase (obtained from PAM) along with a stored salt value, and then uses it to decrypt a stored filesystem key (both the key and the salt are stored in a system keyfile, by default /etc/qpasswd). This is then piped to losetup (the format of the piped key probably needs to change). Try out qryptix-0.1 (on sourceforge, probably mirrored elsewhere) for this and some additional utilities to generate and manage the encrypted keys. There is some minimal documentation on getting it going, but no man pages yet. I'm using it on a number of machines (mostly laptops) to secure my home directory. Comments, suggestions, patches would be welcome. (Not sure if this will make it past the spam filter at linux-crypto, so I'm cc'ing it). -Siva schander@xxxxxxxxxxxxxx Qryptix Data Security, Chennai, India. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
