Bob Williams wrote:
Hi, I'm new to this list, and to encryption.
I have my /home partition encrypted, and have created two luks key slots. Slot
0 takes input from the keyboard, and slot 1 was created with something like
the following line:
# cryptsetup luksAddKey /dev/sda3 /media/disk/datafile
Datafile contains a line of text which is intended to be an alternative to
decrypt the /home partition.
The USB stick is listed in fstab above the entry for /dev/sda3 and is mounted
by LABEL to /media/disk. It does mount at boot time, but I always have to
enter the passphrase (key slot 0) manually.
What else do I need to do to be able to boot my machine, with the USB stick
inserted, and not have to enter the passphrase in key slot 0 manually each
time?
One way is to use a script which runs cryptsetup luksOpen that you run as a udev
run rule.
This is what I've done:
udev rule:
SUBSYSTEM=="block" RUN+="/etc/udev/scripts/usbluks.rr OPTIONS="last_rule"
Script attached.
It assumes a name for the device based on the device - you need another udev
rule if you want to change this. It then looks for a key file in /etc/keys with
the same name. I'm sure you can devise different schemes to suit.
Remember that the key file exists on the system so you need to consider the
security implications.
Note also that you can use any data as a key. You can use random data or, for
example, jpg files.
Dick
#!/bin/bash
# usbluks.rr - script for mapping luks crypto drives
# Copyright (C) 2005 R.J.Middleton
# e-mail: dick@xxxxxxxxxxxx
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
############################################################################
#
# File Name ......................... usbluks.rr
# Written By ........................ Dick Middleton
# Date .............................. 20-Apr-05
#
# Description : Based on a script by Volker Sauer
# <vsauer@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
# contributed to cryptsetup project
#
############################################################################
CRYPTSETUP=/sbin/cryptsetup # needed to setup dm-crypt (package cryptsetup)
UDEVINFO=/usr/bin/udevinfo
DMSETUP=/sbin/dmsetup # device mapper config
KEYDIR=/etc/keys # directory with host keys of this computer
export DEBUG=yes
source /lib/udev/hotplug.functions
function rmmap {
ident=$1
if $DMSETUP info $ident | grep -q '^Open count: *0$'; then
if ! $CRYPTSETUP luksClose $ident;then
mesg "Failed to close existing map: $ident"
fi
fi
}
##mesg "SUBS= ${SUBSYSTEM} ACT= ${ACTION}"
if [ "${SUBSYSTEM}" == 'block' ]; then
ident=`basename $DEVNAME`
mapper=/dev/mapper/$ident
keyfile=/etc/keys/$ident
if [ "$ACTION" == 'add' ]; then
if [ -e "$DEVNAME" -a -e $keyfile ]; then
# mesg "seeing block device $DEVNAME"
(
if [ "${ident:0:3}" = "nbd" ]; then
# mesg "nbd device - sleeping"
sleep 1
fi
if $CRYPTSETUP isLuks $DEVNAME; then
# mesg "$ident is luks device"
if [ -b $mapper ]; then # map for drive already exists
rmmap $ident # remove existing map
fi
if [ -e /etc/keys/$ident ]; then
# mesg "$ident has keyfile"
if $CRYPTSETUP -d /etc/keys/$ident luksOpen $DEVNAME $ident; then
mesg "luks drive $ident ready to mount"
fi
fi
# else
# mesg "$ident not luks"
fi
) &
fi
else
if [ -b $mapper ]; then # map for drive exists
code=`$DMSETUP table $ident | cut -d ' ' -f3`
if [ "$code" = "crypt" ]; then
mesg "removing luks drive $ident"
rmmap $ident # remove existing map
fi
fi
fi
fi
# Local Variables:
# mode: sh
# End:
# ===//===
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
