Re: Is crypttab secure to automount a partition?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 20/03/2021 17.43, Christopher de Vidal wrote:
I am a newbie with this so go gentle please :-) I want to automagically mount a partition at boot. Is it secure to use the crypttab key field? I assume I would have to store the passphrase plain texting the file specified in the key field, and since as I understand it the point of partition encryption is to prevent a malicious local user with physical access from reading the files, if the user can read the file specified in the key field, wouldn't they then be able to decrypt the partition? Seems to me like leaving the front door key under the doormat, but maybe I'm just ignorant how it works. Please educate this newbie.
Suppose you have several encrypted partitions. One of them would be opened normally, with a password. It would contain a file, which would be the key to automatically open the other two partitions (which can also be opened manually with their password).
It is a trick to opening several partitions on boot with entering only one password. 

/etc/crypttab:

cr_home      /dev/disk/by-id/ata-something-part5  \
    none  timeout=300,discard

cr_data1    /dev/disk/by-partlabel/data_1_raw     \
      /home/things/Keys/the_data_keyfile   auto


fstab:

/dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
/dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail 1 2
The keyfile has to be created once (4 KiB random data, for example) and added to the crypt: 

cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile

cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
     /dev/sdc1 cr_cripta






There may be other uses, but that's the one I have.
You could have the keyfile stored in an USB stick. To open the partition you would have to connect the USB stick first. A better procedure would be that the system would also require a passphrase to proceed, but I don't know how to achieve that (the mantra is one thing you have, one thing you know. Two factors). 



--
Cheers / Saludos,

		Carlos E. R.
		(from 15.2 x86_64 at Telcontar)

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux