On 4/26/06, Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote:
On 22/04/2006 rupert wrote:
> im trying to get my crypted disks to be started at boottime.
> I encrypted 3 Harddisks, on for /home and two for data.
> I made a keyfile for each disk that is stored onto a USB Stick,
> when the machine boots and starts /etc/init.d/cryptdisks i get an error
> about that the /home disks uses an unsecure mode and also the USB Stick
> foesnt get mounted correctly(can fix this by myself i think).
hello rupert,
i assume that your usbstick has a fat32 filesystem on it, and that one
doesn't support file permissions. therefore the key on your usbstick is
readable and writeable by everyone, and cryptdisks just warns you about
that. it is only a warning though, not an error.
in the next release that will be turned of by default. the "loud" option
will support warnings.
> I had to edit the init script like this:
the next upload of cryptsetup supports a "mount" option in the crypttab.
it will be uploaded to debian/unstable within the next days. see the
crypttab.5 manpage for more information.
> --schnipp--
> case "$1" in
> start)
> log_begin_msg "Starting crypto disks..."
> #edit
> mount /dev/sdb1 /media/hdd1
> sleep 1
> cryptsetup luksOpen -d /media/hdd1/home.key /dev/hda1 hda1
> sleep 2
> cryptsetup luksOpen -d /media/hdd1/Daten.key /dev/sda1 Daten
> sleep 1
> cryptsetup luksOpen -d /media/hdd1/MoreData.key /dev/hdb1 MoreData
> sleep 1
> umount /media/hdd1
>
> #edit end
> egrep -v "^[[:space:]]*(#|$)" $TABFILE | while read dst src key
opt;
> do
> echo -n " $dst"
> --schnapp--
you don't need to run cryptsetup manually in the initscript. just mount
/dev/sdb1 and set the keyfiles to '/media/hdd/*.key' in your
/etc/crypttab. the sleeps are unnecessary too. that will do everything.
i removed the cryptsetup entrys from the init.d file, and when I now run it
i get the following errors
/etc/init.d/cryptdisks restart
* Stopping crypto disks... hda1(busy) Daten(stopped)
MoreData(stopped) [ ok ]
* Starting crypto disks... hda1(running) Daten(starting) - INSECURE MODE
FOR /media/hdd1/Daten.key
Usage: cryptsetup [-?|--help] [--usage] [-v|--verbose] [-c|--cipher STRING]
[-h|--hash STRING] [-y|--verify-passphrase] [-d|--key-file STRING]
[-s|--key-size BITS] [-b|--size SEKTOREN] [-o|--offset SEKTOREN]
[-p|--skip SEKTOREN] [-r|--readonly] [-i|--iter-time msecs]
[OPTION...] <action> <action-specific>]
/sbin/cryptsetup: Unbekannte Aktion.
MoreData(starting) - INSECURE MODE FOR /media/hdd1/MoreData.key
Usage: cryptsetup [-?|--help] [--usage] [-v|--verbose] [-c|--cipher STRING]
[-h|--hash STRING] [-y|--verify-passphrase] [-d|--key-file STRING]
[-s|--key-size BITS] [-b|--size SEKTOREN] [-o|--offset SEKTOREN]
[-p|--skip SEKTOREN] [-r|--readonly] [-i|--iter-time msecs]
[OPTION...] <action> <action-specific>]
/sbin/cryptsetup: Unbekannte Aktion.
These lines where the reason whz i added the cryptsetup commandos to it.
Mz USB Stick is ext3 formated.
when i run this script manually most of the times everything gets done ok,
I
> have to keys for home, sometimes changing it here and in crypttab does
the
> job.
>
> this is my crypttab:
>
> hda1 /dev/hda1 /media/STICK/hda1.key
> Daten /dev/sda1 /media/STICK/Daten.key
> luks,retry=3,cipher=aes-cbc-essiv:sha256
> MoreData /dev/hdb1 /media/STICK/MoreData.key
> luks,retry=3,cipher=aes-cbc-essiv:sha256
update the keyfiles to point their real location (in your example above
this seems to be /media/hdd1, not /media/STICK.
apart from that, it looks good.
as already said, you don't need to run cryptsetup manually in the
initscript, if you have listed the encrypted disks in /etc/crypttab.
> The other annoying problem is that i get some popups during gnome
startup to
> enter the passwords for the already initialized encrypted Disks,
> can i stop this somehow?
i don't know how this is generated, but maybe it's due to the wrong
keyfile locations in /etc/crypttab. no idea about that one.
> thx for help, not much people on this list, but I hope someone read this
sorry for the long delay before answering.
...
jonas
