On 15/03/09 23:22, Keith G. Robertson-Turner wrote:
One request I would like to throw out there, as a RFE, is the ability to
specify *keyfiles* instead of a password, when anaconda is setting up an
encrypted filesystem with cryptsetup. My current arrangement requires me
to manually edit the initrd thus:
echo Setting up disk encryption: SecureKeys
cryptsetup luksOpen /dev/sdb1 SecureKeys
mkdir /SecureKeys
mount -t ext3 /dev/mapper/SecureKeys /SecureKeys
echo Setting up disk encryption: takeMScrypt
cryptsetup luksOpen /dev/sda2 takeMScrypt
--key-file=/SecureKeys/takeMScrypt.key
echo Closing encryption keys volume: SecureKeys
umount /SecureKeys
cryptsetup luksClose SecureKeys
sda is a USB keychain, with a built in MicroSDHC card reader.
sda1 is "/boot", unencrypted.
sda2 is "/" on an LVM volume encrypted with the kefile on sdb1.
sdb is a MicroSDHC card, with the key store on sdb1, which is itself
password encrypted.
So when this boots, I'm asked for a password once, which unlocks the key
store, and uses keyfiles in that key store to unlock the other
filesystems, then closes and unmounts the keystore, so the MicroSDHC
card can be physically removed (and possibly hidden).
How easy would it be to build something like this into anaconda?
I've attached the patch to rc.sysinit I use in-house here to achieve a
similar thing.
In short, all my users' gpg keys are held in /etc/gnupg
(root.root/0700); and have a usb key which has a small (4k) bit of
random data from /dev/random which is gpg encrypted to everyone's public
keys. /etc/crypttab is then modified to use '/mnt/.home.key.gpg' instead
of 'none'.
I then add the keyfile to the luks partition with cryptsetup (any
passphrases can be kept if you're wary about losing the ability to
decrypt - simply don't remove the passphrase from the luks partition and
don't plug the usb stick in when booting).
Plymouth passes the passphrase requested into Gpg then decrypts the
keyfile which is then passed into cryptsetup to unlock the partition via
stdin/out.
This way, a users laptop, usb key and passphrase would have to fall into
the hands of an attacker to get to your data.
--
Regards,
Matthew Hall (BSc, CISSP, CEH)
Security Engineer
ECSC Ltd
01274 513266
This email is intended solely for the addressee, and is strictly
confidential. The content does not comprise professional advice, and you
should seek suitable specific advice from us before acting in any way
upon it. Additional terms and conditions are available at
http://www.ecsc.co.uk/cond_serv.html
--- rc.sysinit.f10orig 2009-03-12 15:17:09.000000000 +0000
+++ rc.sysinit 2009-03-12 16:20:40.000000000 +0000
@@ -141,9 +141,13 @@
echo $"INSECURE OWNER FOR $key"
fi
else
- echo $"Key file for $dst not found, skipping"
- ret=1
- continue
+ if strstr "$dst" home; then
+ key="/mnt/.home.key.gpg"
+ else
+ echo $"Key file for $dst not found, skipping"
+ ret=1
+ continue
+ fi
fi
else
key=""
@@ -221,16 +225,21 @@
echo "$dst: options are invalid for LUKS partitions," \
"ignoring them"
fi
- if [ -n "$key" ]; then
- /sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure
+ file=`basename $key 2>/dev/null`
+ if [ -e "$key" ] && [[ "$file" =~ "[a-zA-Z].gpg" ]]; then
+ prompt=$(printf $"Enter your GPG passphrase to unlock %s" "$dst")
+ cmd="/usr/bin/gpg --homedir=/etc/gnupg/ --no-default-keyring --no-use-agent --no-auto-check-trustdb --no-permission-warning --skip-verify --no-tty --passphrase-fd 0 --decrypt $key"
+ plymouth ask-for-password --number-of-tries=3 --prompt "$prompt" --command="$cmd" <&1 | /sbin/cryptsetup luksOpen -T1 $src $dst && success || failure
else
- mount_point="$(find_crypto_mount_point $dst)"
- [ -n "$mount_point" ] || mount_point=${src##*/}
- prompt=$(printf $"%s is password protected" "$mount_point")
- plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1
+ if strstr "$dst" home; then
+ key="none"
+ fi
+ mount_point="$(find_crypto_mount_point $dst)"
+ [ -n "$mount_point" ] || mount_point=${src##*/}
+ prompt=$(printf $"%s is password protected" "$mount_point")
+ plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1
fi
else
- #plymouth --hide-splash
/sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure
fi
rc=$?
@@ -345,7 +353,11 @@
fi
if [ -f /etc/crypttab ]; then
+ modprobe usb_storage
+ sleep 5
+ mount -n -t vfat -o ro,umask=377 /dev/sdb1 /mnt
init_crypto 0
+ umount /mnt 2>/dev/null
fi
if ! strstr "$cmdline" nompath && [ -f /etc/multipath.conf -a \
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
