On Sun, Jun 30, 2013 at 07:24:46PM -0300, Roberto Spadim wrote: > Hi guys, i want to create a map to my crypted disk > but, instead of putting the passkey every time, or using a pkcs11 (smart > card), i want to get the passkey from a external server via network > in other words: > > 1)place a new hard disk > 2)setup dm-crypt over disk > 3) mount disk using a external server like " > https://www.host.com/get_passkey.php?UUID=xxxxx"; That looks overly complicated. Why not use something like ssh <user@remote> "cat uuid_file_xxxx" | cryptsetup ... with a password-less ssh setup. Or improve it, use the UUID as user-name and make "cat <passwordfile>" the login-shell. Then you just need ssh <UUID@remote | cryptswetup and users cannot log in, just echo the passphrase. (For admin purposes you can still log into the remote server as rtoot and do a su UUID which gives you a non-login shell.) This gives you the far better security level of ssh with two-sided authentication, instead of the basically broken SSL 1-sided authentification with the basically broken PKI and the risk that anybody that can obtain your UUID or use a PHP vulnerability, webserver vulnerability or a vulnerability in your PHP code can get your passphrase. Also, anybody able to replace your server (ip spoofing, DNS spoofing, ...) can inject whatever they like into your client-side script with the web-solution. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
