LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   cryptsetup with passphrase file on USB stick (http://www.linuxquestions.org/questions/slackware-14/cryptsetup-with-passphrase-file-on-usb-stick-595222/)

titopoquito 10-28-2007 09:25 AM
cryptsetup with passphrase file on USB stick
 
Hi all,

I have encrypted two partitions with cryptsetup, like it is described in the file README_CRYPT.TXT on the Slackware CD. The root partition is not encrypted.

I wondered what I needed to change to make even Slackware 12.0 able to read the passphrase file from an USB memory stick. In my search I stumpled upon a question and wanted to ask it here before I might damage my system.

In /etc/rc.d/rc.S are the commands to map cryptsetup devices and to mount all file systems that are listed in /etc/fstab. Is there any reason why this cryptsetup stuff is performed BEFORE the root filesystem is checked? Can I move it around a little, let's say right above the section where the fstab entries are mounted?

My idea: Let udev assing a individual symlink to the usbstick so that it's always know by a special name, for example /dev/usbstick. In rc.S, move the cryptsetup stuff down, right before fstab stuff. And even before that, mount my usbstick if it is known to the system with its individual udev-symlink. After all known partitions etc. are mounted umount the memory stick again.

Thanks for reading this far :) Any ideas if this will do any harm to my system or if there any traps I do not see?

gnashley 10-28-2007 10:27 AM
It's just an idea since I don't really know about crypted partitions, but maybe the cryptsetup has to be done first in order for the filesystem to be checked. I suppose you could try manually trying to check the filesystem without having setup the crypting first, in order to see if that fails, or what?
You may be interested - a couple of weeks ago LQ member ta0kira posted about and uploaded some scripts that help with managing encrypted FLASH devices. You might get in touch with him to see what he knows about it.
See the thread here:
http://www.linuxquestions.org/questi...-token-592505/

titopoquito 10-28-2007 11:05 AM
Many thanks for the link Gilbert (if I remember right :scratch:), I appreciate it. Looks like ta0kira goes one step further, and it will take some time for me to evaluate his/her scripts. From the description it is what I intended in the beginning, but I didn't know how to do this at all.

ta0kira 10-29-2007 06:38 AM
If you want, I can post the script I have run by the udev rule when the device is inserted. It uses the scripts I posted in the link gnashley posted. Basically it loops the devices/images with crypto, fscks them, unloops them, then mounts them.
ta0kira

titopoquito 10-29-2007 06:48 AM
Hi ta0kira,

yes, that would be nice. I cannot say that I understand fully what your scripts do, but your description in the other thread sounds interesting. Yesterday evening I started looking in your scripts and the docs you packed with it, but my time is very limited at the moment, so I decided to dig into it in a few days. If you could post the script, I appreciate it. It is called with the udev
RUN+="/path/to/script" option?

In the meantime I succeeded to use my much simpler setup and will post a howto on how I did it, in case someone else is interested. A simple udev rule, changing rc.S startup script and of course setting up the encrypted partitions to take a keyfile as authentication. But it does NO error checking at all.

ta0kira 10-29-2007 04:06 PM
Here is a cleaned up version of the script I use:
Code:
#!/bin/bash

#CALL WITH NO ARGUMENTS TO DAEMONIZE, WITH manual TO KEEP IN FOREGROUND,
#AND WITH disconnect TO DISCONNECT ENCRYPTED PARTITIONS.

export PATH="/sbin:/bin:/usr/sbin:/usr/bin"


#MUST DAEMONIZE WHEN USING udev TO PREVENT FREEZING STARTUP SEQUENCE
if [ $# -eq 0 ]; then
  exec $0 daemon &
fi


#disconnect IS CALLED BY rc.0 AND rc.6
if [ "$1" == "disconnect" ]; then
  key-umount /root

  clear-all
  clear-data
  clear-system
  umount /mnt/keys

  exit
fi


if [ "$1" != "daemon" ] && [ "$1" != "manual" ]; then
  exit 1
fi


#CHECK THE ACTION TYPE WHICH IS SET BY udev
if [ "$ACTION" == "remove" ]; then
  exit
fi


#CHECK FILE SYSTEM THEN MOUNT
function setup_fs() # dev mount key
{
  check="internal_check"

  [ `grep -c " \`readlink -f \"$2\"\` " /proc/mounts` -eq 0 ] && \
  loop-fs "$1" $check $3 && \
  fsck /dev/mapper/$check
  unloop-fs $check
  key-mount "$1" "$2" $3
}


#MAKE SURE udev SET UP A THE SYMLINK
if [ ! -b "/dev/keys" ]; then
  exit 1
fi


#SET UP MOUNT POINT FOR USB DEVICE
install -d /mnt/keys

if [ ! -d "/mnt/keys" ]; then
  exit 1
fi


#MOUNT USB DEVICE
if [ `grep -c "/dev/keys" /proc/mounts` -eq 0 ] && \
  ! ( mount /dev/keys /mnt/keys -r -o noexec ); then
  exit 1
fi


#MAKE SURE PERTINENT key-scripts ARE EXECUTABLE
if [ ! -x "`which system-keys`" ] || [ ! -x "`which data-keys`" ] || \
  [ ! -x "`which key-mount`" ] || [ ! -x "`which clear-data`" ] || \
  [ ! -x "`which clear-system`" ]; then
  exit 1
fi


#LOAD SYSTEM AND DATA KEYS (BASED ON /etc/key-scripts.conf)
system-keys
data-keys

#USE SHELL FUNCTION TO CHECK AND MOUNT A PARTITION (THIS IS AN IMAGE)
#BLUE ARGUMENT IS THE NAME OF THE KEY
setup_fs /root/root.vault /root system/home "-o sync"

#UNLOAD SYSTEM AND DATA KEYS
clear-data
clear-system

#UNMOUNT USB DEVICE
umount /mnt/keys
Here is the udev rule which runs it:
Code:
KERNEL=="sd?1", SYSFS{serial}=="[removed]", symlink+="keys", run+="/bin/bash /etc/rc.d/rc.secure"
I keep the scripts I posted in the other thread in /usr/sbin so that I can start my system with the USB device attached and the partitions will automatically mount. It will also work to start it without the USB device then insert it at any time later.
ta0kira

PS Here is my /etc/key-scripts.conf:
Code:
KEY_MOUNT="/mnt/keys"
KEY_TABLES="tables"
SYSTEM_KEYS="system"
DATA_KEYS="data"
USER_KEY_IMG="users"
SYSTEM_KEY_IMG="master"
SYSTEM_CODE="[this will be on the device]"
DATA_CODE="system/data"
NO_CONFIRM="true"
PPS You don't need to go through all of the system-keys/data-keys business unless you want the key itself encrypted on the USB device. To just leave it in the open, take out the lines in red.

titopoquito 10-29-2007 04:52 PM
Many thanks ta0kira. Lots of reading I guess for me to understand what you are doing there, to understand the logic of your scripts :)

ta0kira 10-30-2007 06:37 AM
Yeah, I suppose I do need to update and clarify the howtos and add some more comments to the scripts. I actually haven't read through them myself for quite a while.
ta0kira

PS It sounds like all you really need is the fastdm script. All of the others are for a specific purpose, but you can do everything you need to with that (plus losetup if you plan to use images instead of devices.)


All times are GMT -5. The time now is 12:59 AM.