Matthias Schniedermeyer wrote:
> When i use a key-file that is only 'gpg --store -a', for e.x. because
> the key-file is stored inside an encrypted filesystem that is currently
> mounted, mount still asks for a Password where anything can be typed.
I hope that for security reasons you are using a different key file for each
automounted file system. If you are mounting removable media, then encrypted
key file must be stored on same media. Passphrase-less key file on same
media won't provide any security.
> What makes this not beautiful is that it can only be short-circuited
> with -p <whatever>. But that doesn't fly with autofs map-type rule. You
> can only provide "-o <whatever>" options that are passed down to mount.
> Naturally redirecting stderr isn't possible either.
I don't know what automounter implementation you are using, but BSD amd
automounter that I am using lets admin configure a program or script to do
the actual mount operation.
> The mount succeeds, because nothing can be read from STDIN as i guess
> there is no STDIN, so the mount continues.
> But every time an encrypted automount happens i get an ugly
> ... automount[1441]: >> Password:
> line in syslog.
I don't see such messages on my box.
Below are some config lines from my test box that I set up to automount
encrypted floppy. First 8192 bytes of each floppy is used to store gpg
encrypted key file. Here is mount point definition in /etc/am-utils/amd.conf
file:
[/a]
map_name = /etc/am-utils/amd.a
Here is map entry in /etc/am-utils/amd.a file:
fd0-crypt type:=program;fs:=/floppy;mount:="/etc/am-utils/cryptmount.sh /etc/am-utils/cryptmount.sh ext2 /dev/fd0 /floppy /dev/loop0";unmount:="/bin/umount umount /floppy"
Here is root-only executable shell script in /etc/am-utils/cryptmount.sh file:
#!/bin/sh
/bin/mount -t $1 $2 $3 -o encryption=AES128,gpgkey=$2,offset=8192,loop=$4 -p3 3</tmp/clearpassword
Here is a script that I used to create encrypted floppy:
#!/bin/bash
DEV=/dev/fd0
LOOP=/dev/loop7
set -v
set -e
yes "" | dd of=${DEV} bs=512 count=16 conv=notrunc
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a --no-comments --no-emit-version | dd of=${DEV} conv=notrunc
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
| losetup -p 0 -e AES128 -o 8192 ${LOOP} ${DEV}
dd if=/dev/zero of=${LOOP} bs=4k conv=notrunc || true
sync
losetup -d ${LOOP}
losetup -e AES128 -K ${DEV} -o 8192 ${LOOP} ${DEV}
mkfs -t ext2 -m 0 -O none ${LOOP}
losetup -d ${LOOP}
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
