You can hardcode a passphrase in an initrd, put that on an USB key and remove the USB after boot. (We had that as an emergency procedure for a reboot in a DC-setup. The USB-Key was locked in a safe tro secure it.) Something needs to be provided, either a secret or a token, there is no security without that. Regards, Arno On Mon, Mar 22, 2021 at 17:06:01 CET, Christopher de Vidal wrote: > That's very cool. But I get the impression from your response that > there is no way to automount securely? E.g. at least one password entry > is always required. > Christopher de Vidal > Would you consider yourself a good person? Have you ever taken the > 'Good Person' test? It's a fascinating five minute quiz. Google it. > > On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R. > <[1]robin.listas@xxxxxxxxxxxxxx> wrote: > > On 20/03/2021 17.43, Christopher de Vidal wrote: > > I am a newbie with this so go gentle please :-) I want to > automagically > > mount a partition at boot. Is it secure to use the crypttab key > field? I > > assume I would have to store the passphrase plain texting the file > > specified in the key field, and since as I understand it the point > of > > partition encryption is to prevent a malicious local user with > physical > > access from reading the files, if the user can read the file > specified > > in the key field, wouldn't they then be able to decrypt the > partition? > > Seems to me like leaving the front door key under the doormat, but > maybe > > I'm just ignorant how it works. Please educate this newbie. > Suppose you have several encrypted partitions. One of them would be > opened normally, with a password. It would contain a file, which > would > be the key to automatically open the other two partitions (which can > also be opened manually with their password). > It is a trick to opening several partitions on boot with entering > only > one password. > /etc/crypttab: > cr_home /dev/disk/by-id/ata-something-part5 \ > none timeout=300,discard > cr_data1 /dev/disk/by-partlabel/data_1_raw \ > /home/things/Keys/the_data_keyfile auto > fstab: > /dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2 > /dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail > 1 2 > The keyfile has to be created once (4 KiB random data, for example) > and > added to the crypt: > cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile > cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \ > /dev/sdc1 cr_cripta > There may be other uses, but that's the one I have. > You could have the keyfile stored in an USB stick. To open the > partition > you would have to connect the USB stick first. A better procedure > would > be that the system would also require a passphrase to proceed, but I > don't know how to achieve that (the mantra is one thing you have, > one > thing you know. Two factors). > -- > Cheers / Saludos, > Carlos E. R. > (from 15.2 x86_64 at Telcontar) > _______________________________________________ > dm-crypt mailing list -- [2]dm-crypt@xxxxxxxx > To unsubscribe send an email to [3]dm-crypt-leave@xxxxxxxx > > References > > 1. mailto:robin.listas@xxxxxxxxxxxxxx > 2. mailto:dm-crypt@xxxxxxxx > 3. mailto:dm-crypt-leave@xxxxxxxx > _______________________________________________ > dm-crypt mailing list -- dm-crypt@xxxxxxxx > To unsubscribe send an email to dm-crypt-leave@xxxxxxxx -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx
