Am Donnerstag, 27. April 2006 06:13 schrieb ext John Norvell:
> So, let me see if understand. If I never supply any key file, the
> passwords are being attached to a key that is stored on the partition
> itself, generated by the luksFormat command? How, then, would I
> configure pam_mount to send the login password to mount a home directory
> encrypted this way?
>
> Pre luks, I used a line like this in pam_mount.conf:
>
> volume john crypt - /dev/sda8 /home/john loop,cipher=aes aes-256-cbc
> /home/john.key
I don't know pam_mount. However, it doesn't matter if you use passwords or
keyfiles. You can have a passphrase for slot 0 and a keyfile for slot 1,
like:
louisa ~ # cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/evms/test
WARNING!
========
This will overwrite data on /dev/evms/test irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
louisa ~ # dd if=/dev/urandom of=/etc/crypt/keyfile count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000189 seconds, 2.7 MB/s
louisa ~ # cryptsetup luksAddKey /dev/evms/test /etc/crypt/keyfile
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Command successful.
louisa ~ # cryptsetup -d /etc/crypt/keyfile luksOpen /dev/evms/test c-test
key slot 1 unlocked.
Command successful.
louisa ~ # cryptsetup -d /etc/crypt/keyfile luksAddKey /dev/evms/test
key slot 1 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.
louisa ~ # cryptsetup luksDump /dev/evms/test
LUKS header information for /dev/evms/test
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 85 41 5f 23 3b a9 c4 6e 53 bf 2b 69 56 7b 60 90 f4 94 a7 da
MK salt: 8e e3 8a 68 7c 57 4c bd 32 e7 83 c7 1c c2 33 1c
88 1b 4c 29 af 8e 46 f3 5b 6a 19 62 b4 25 83 0a
MK iterations: 10
UUID: 03450168-dd89-442e-bacc-f91abb34a94b
Key Slot 0: ENABLED
Iterations: 181256
Salt: ad f7 3f 05 75 d8 8f be ed a8 58 1e 5f 3e 17
cc
58 4b 2f 7f 7a 3b 24 de f9 41 f1 fe 1d 8e e7
cc
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 187593
Salt: 82 38 4c 7b 52 b8 24 ff ad 3c 64 0f 52 c1 24
ab
58 e3 ad fb cb 8b 3d 3c d2 9c 6c a0 79 ff a4
5b
Key material offset: 136
AF stripes: 4000
Key Slot 2: ENABLED
Iterations: 188120
Salt: 8e 4c 35 58 5e 28 1d 42 d8 9f 79 03 97 2c 7c
d9
05 02 70 b7 5a 14 ef 60 4b 31 b7 ca 60 f6 79
2d
Key material offset: 264
AF stripes: 4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
As you see there, I have now 3 key slots enabled, one can be unlocked with
the keyfile (1), the others (0, 2) can be unlocked with a passphrase. It
doesn't matter which one you provide, you only need to be able to unlock
one of those three slots.
HTH...
Dirk
--
Dirk Heinrichs | Tel: +49 (0)162 234 3408
Configuration Manager | Fax: +49 (0)211 47068 111
Capgemini Deutschland | Mail: dirk.heinrichs@xxxxxxxxxxxxx
Hambornerstraße 55 | Web: http://www.capgemini.com
D-40472 Düsseldorf | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net
Attachment:
pgp14P0H71CJi.pgp
Description: PGP signature
