LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-28-2007, 09:25 AM   #1
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Ruhr Area, Germany
Distribution: Slackware64 14.0
Posts: 1,517

Rep: Reputation: 90
cryptsetup with passphrase file on USB stick


Hi all,

I have encrypted two partitions with cryptsetup, like it is described in the file README_CRYPT.TXT on the Slackware CD. The root partition is not encrypted.

I wondered what I needed to change to make even Slackware 12.0 able to read the passphrase file from an USB memory stick. In my search I stumpled upon a question and wanted to ask it here before I might damage my system.

In /etc/rc.d/rc.S are the commands to map cryptsetup devices and to mount all file systems that are listed in /etc/fstab. Is there any reason why this cryptsetup stuff is performed BEFORE the root filesystem is checked? Can I move it around a little, let's say right above the section where the fstab entries are mounted?

My idea: Let udev assing a individual symlink to the usbstick so that it's always know by a special name, for example /dev/usbstick. In rc.S, move the cryptsetup stuff down, right before fstab stuff. And even before that, mount my usbstick if it is known to the system with its individual udev-symlink. After all known partitions etc. are mounted umount the memory stick again.

Thanks for reading this far Any ideas if this will do any harm to my system or if there any traps I do not see?
 
Old 10-28-2007, 10:27 AM   #2
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,755

Rep: Reputation: 466Reputation: 466Reputation: 466Reputation: 466Reputation: 466
It's just an idea since I don't really know about crypted partitions, but maybe the cryptsetup has to be done first in order for the filesystem to be checked. I suppose you could try manually trying to check the filesystem without having setup the crypting first, in order to see if that fails, or what?
You may be interested - a couple of weeks ago LQ member ta0kira posted about and uploaded some scripts that help with managing encrypted FLASH devices. You might get in touch with him to see what he knows about it.
See the thread here:
http://www.linuxquestions.org/questi...-token-592505/
 
Old 10-28-2007, 11:05 AM   #3
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Ruhr Area, Germany
Distribution: Slackware64 14.0
Posts: 1,517

Original Poster
Rep: Reputation: 90
Many thanks for the link Gilbert (if I remember right ), I appreciate it. Looks like ta0kira goes one step further, and it will take some time for me to evaluate his/her scripts. From the description it is what I intended in the beginning, but I didn't know how to do this at all.
 
Old 10-29-2007, 06:38 AM   #4
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
If you want, I can post the script I have run by the udev rule when the device is inserted. It uses the scripts I posted in the link gnashley posted. Basically it loops the devices/images with crypto, fscks them, unloops them, then mounts them.
ta0kira
 
Old 10-29-2007, 06:48 AM   #5
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Ruhr Area, Germany
Distribution: Slackware64 14.0
Posts: 1,517

Original Poster
Rep: Reputation: 90
Hi ta0kira,

yes, that would be nice. I cannot say that I understand fully what your scripts do, but your description in the other thread sounds interesting. Yesterday evening I started looking in your scripts and the docs you packed with it, but my time is very limited at the moment, so I decided to dig into it in a few days. If you could post the script, I appreciate it. It is called with the udev
RUN+="/path/to/script" option?

In the meantime I succeeded to use my much simpler setup and will post a howto on how I did it, in case someone else is interested. A simple udev rule, changing rc.S startup script and of course setting up the encrypted partitions to take a keyfile as authentication. But it does NO error checking at all.
 
Old 10-29-2007, 04:06 PM   #6
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Here is a cleaned up version of the script I use:
Code:
#!/bin/bash

#CALL WITH NO ARGUMENTS TO DAEMONIZE, WITH manual TO KEEP IN FOREGROUND,
#AND WITH disconnect TO DISCONNECT ENCRYPTED PARTITIONS.

export PATH="/sbin:/bin:/usr/sbin:/usr/bin"


#MUST DAEMONIZE WHEN USING udev TO PREVENT FREEZING STARTUP SEQUENCE
if [ $# -eq 0 ]; then
  exec $0 daemon &
fi


#disconnect IS CALLED BY rc.0 AND rc.6
if [ "$1" == "disconnect" ]; then
  key-umount /root

  clear-all
  clear-data
  clear-system
  umount /mnt/keys

  exit
fi


if [ "$1" != "daemon" ] && [ "$1" != "manual" ]; then
  exit 1
fi


#CHECK THE ACTION TYPE WHICH IS SET BY udev
if [ "$ACTION" == "remove" ]; then
  exit
fi


#CHECK FILE SYSTEM THEN MOUNT
function setup_fs() # dev mount key
{
  check="internal_check"

  [ `grep -c " \`readlink -f \"$2\"\` " /proc/mounts` -eq 0 ] && \
  loop-fs "$1" $check $3 && \
  fsck /dev/mapper/$check
  unloop-fs $check
  key-mount "$1" "$2" $3
}


#MAKE SURE udev SET UP A THE SYMLINK
if [ ! -b "/dev/keys" ]; then
  exit 1
fi


#SET UP MOUNT POINT FOR USB DEVICE
install -d /mnt/keys

if [ ! -d "/mnt/keys" ]; then
  exit 1
fi


#MOUNT USB DEVICE
if [ `grep -c "/dev/keys" /proc/mounts` -eq 0 ] && \
   ! ( mount /dev/keys /mnt/keys -r -o noexec ); then
  exit 1
fi


#MAKE SURE PERTINENT key-scripts ARE EXECUTABLE
if [ ! -x "`which system-keys`" ] || [ ! -x "`which data-keys`" ] || \
   [ ! -x "`which key-mount`" ] || [ ! -x "`which clear-data`" ] || \
   [ ! -x "`which clear-system`" ]; then
  exit 1
fi


#LOAD SYSTEM AND DATA KEYS (BASED ON /etc/key-scripts.conf)
system-keys
data-keys

#USE SHELL FUNCTION TO CHECK AND MOUNT A PARTITION (THIS IS AN IMAGE)
#BLUE ARGUMENT IS THE NAME OF THE KEY
setup_fs /root/root.vault /root system/home "-o sync"

#UNLOAD SYSTEM AND DATA KEYS
clear-data
clear-system

#UNMOUNT USB DEVICE
umount /mnt/keys
Here is the udev rule which runs it:
Code:
KERNEL=="sd?1", SYSFS{serial}=="[removed]", symlink+="keys", run+="/bin/bash /etc/rc.d/rc.secure"
I keep the scripts I posted in the other thread in /usr/sbin so that I can start my system with the USB device attached and the partitions will automatically mount. It will also work to start it without the USB device then insert it at any time later.
ta0kira

PS Here is my /etc/key-scripts.conf:
Code:
KEY_MOUNT="/mnt/keys"
KEY_TABLES="tables"
SYSTEM_KEYS="system"
DATA_KEYS="data"
USER_KEY_IMG="users"
SYSTEM_KEY_IMG="master"
SYSTEM_CODE="[this will be on the device]"
DATA_CODE="system/data"
NO_CONFIRM="true"
PPS You don't need to go through all of the system-keys/data-keys business unless you want the key itself encrypted on the USB device. To just leave it in the open, take out the lines in red.

Last edited by ta0kira; 10-29-2007 at 04:15 PM.
 
Old 10-29-2007, 04:52 PM   #7
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Ruhr Area, Germany
Distribution: Slackware64 14.0
Posts: 1,517

Original Poster
Rep: Reputation: 90
Many thanks ta0kira. Lots of reading I guess for me to understand what you are doing there, to understand the logic of your scripts
 
Old 10-30-2007, 06:37 AM   #8
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Yeah, I suppose I do need to update and clarify the howtos and add some more comments to the scripts. I actually haven't read through them myself for quite a while.
ta0kira

PS It sounds like all you really need is the fastdm script. All of the others are for a specific purpose, but you can do everything you need to with that (plus losetup if you plan to use images instead of devices.)

Last edited by ta0kira; 10-30-2007 at 06:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
file descriptors in Perl-----I need to use gpg's "--passphrase-fd n" option Rain Duck Programming 5 02-25-2011 09:52 AM
expect - read passphrase from a file hk_linux Programming 1 09-03-2010 10:46 AM
mount/umount usb stick - PQI Intelligent Stick 2.0 sandbag Linux - Software 5 05-06-2005 11:12 AM
USB memory stick file system linmix Linux - Hardware 2 12-02-2004 05:02 PM
USB problems: Memorex USB stick 256MB and PSX to USB adapter by Radio Shack Knuckles T15 Linux - Hardware 1 05-19-2004 06:58 PM


All times are GMT -5. The time now is 09:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration