cryptsetup with native PKCS#11 support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi guys

I`m new here. The purpose of this email is PKCS#11 support in cryptsetup I`m working on.

In short: I need to encrypt disk with LUKS and store key on PKCS#11 compatible device. I now
there is a lot of example how to do this using gnupgp or openssl.  The goal is to have key only on token,
retrieve upon 'luksOpen' operation based on PIN only.

What is working now is:
- key generation (as pass-phrase) using smartcard/token hardware RNG
- encrypt a backup of the key using certificate from token upon 'luksFormat'
- decrypt key from file using privatekey from token upon 'luksOpen'
- all above extansions are build in into cryptsetup command (few new switches)
- dependencies are minimal - only pkcs11 library file for token is required (no libp11 or pkcs11-helper)

Later I will add storage of keyfile on token as data object.

As this job is for private use only, the code is a little messy and unclean. 

So I want to open a discussion: is a native PKCS#11 support in cryptsetup needed? If yes, please give me any
possible hint can help. Or suggestion what or how to implement to make it secure.

Regards
Krzysztof Rutecki
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux