That's very cool. But I get the impression from your response that there is no way to automount securely? E.g. at least one password entry is always required.
Christopher de Vidal
Would you consider yourself a good person? Have you ever taken the 'Good Person' test? It's a fascinating five minute quiz. Google it.
Christopher de Vidal
Would you consider yourself a good person? Have you ever taken the 'Good Person' test? It's a fascinating five minute quiz. Google it.
On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R. <robin.listas@xxxxxxxxxxxxxx> wrote:
On 20/03/2021 17.43, Christopher de Vidal wrote:
> I am a newbie with this so go gentle please :-) I want to automagically
> mount a partition at boot. Is it secure to use the crypttab key field? I
> assume I would have to store the passphrase plain texting the file
> specified in the key field, and since as I understand it the point of
> partition encryption is to prevent a malicious local user with physical
> access from reading the files, if the user can read the file specified
> in the key field, wouldn't they then be able to decrypt the partition?
> Seems to me like leaving the front door key under the doormat, but maybe
> I'm just ignorant how it works. Please educate this newbie.
Suppose you have several encrypted partitions. One of them would be
opened normally, with a password. It would contain a file, which would
be the key to automatically open the other two partitions (which can
also be opened manually with their password).
It is a trick to opening several partitions on boot with entering only
one password.
/etc/crypttab:
cr_home /dev/disk/by-id/ata-something-part5 \
none timeout=300,discard
cr_data1 /dev/disk/by-partlabel/data_1_raw \
/home/things/Keys/the_data_keyfile auto
fstab:
/dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2
/dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail
1 2
The keyfile has to be created once (4 KiB random data, for example) and
added to the crypt:
cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
/dev/sdc1 cr_cripta
There may be other uses, but that's the one I have.
You could have the keyfile stored in an USB stick. To open the partition
you would have to connect the USB stick first. A better procedure would
be that the system would also require a passphrase to proceed, but I
don't know how to achieve that (the mantra is one thing you have, one
thing you know. Two factors).
--
Cheers / Saludos,
Carlos E. R.
(from 15.2 x86_64 at Telcontar)
_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx
_______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx
