SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,648
Rep:
cryptsetup with passphrase file on USB stick
Hi all,
I have encrypted two partitions with cryptsetup, like it is described in the file README_CRYPT.TXT on the Slackware CD. The root partition is not encrypted.
I wondered what I needed to change to make even Slackware 12.0 able to read the passphrase file from an USB memory stick. In my search I stumpled upon a question and wanted to ask it here before I might damage my system.
In /etc/rc.d/rc.S are the commands to map cryptsetup devices and to mount all file systems that are listed in /etc/fstab. Is there any reason why this cryptsetup stuff is performed BEFORE the root filesystem is checked? Can I move it around a little, let's say right above the section where the fstab entries are mounted?
My idea: Let udev assing a individual symlink to the usbstick so that it's always know by a special name, for example /dev/usbstick. In rc.S, move the cryptsetup stuff down, right before fstab stuff. And even before that, mount my usbstick if it is known to the system with its individual udev-symlink. After all known partitions etc. are mounted umount the memory stick again.
Thanks for reading this far Any ideas if this will do any harm to my system or if there any traps I do not see?
It's just an idea since I don't really know about crypted partitions, but maybe the cryptsetup has to be done first in order for the filesystem to be checked. I suppose you could try manually trying to check the filesystem without having setup the crypting first, in order to see if that fails, or what?
You may be interested - a couple of weeks ago LQ member ta0kira posted about and uploaded some scripts that help with managing encrypted FLASH devices. You might get in touch with him to see what he knows about it.
See the thread here: http://www.linuxquestions.org/questi...-token-592505/
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,648
Original Poster
Rep:
Many thanks for the link Gilbert (if I remember right ), I appreciate it. Looks like ta0kira goes one step further, and it will take some time for me to evaluate his/her scripts. From the description it is what I intended in the beginning, but I didn't know how to do this at all.
If you want, I can post the script I have run by the udev rule when the device is inserted. It uses the scripts I posted in the link gnashley posted. Basically it loops the devices/images with crypto, fscks them, unloops them, then mounts them.
ta0kira
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,648
Original Poster
Rep:
Hi ta0kira,
yes, that would be nice. I cannot say that I understand fully what your scripts do, but your description in the other thread sounds interesting. Yesterday evening I started looking in your scripts and the docs you packed with it, but my time is very limited at the moment, so I decided to dig into it in a few days. If you could post the script, I appreciate it. It is called with the udev
RUN+="/path/to/script" option?
In the meantime I succeeded to use my much simpler setup and will post a howto on how I did it, in case someone else is interested. A simple udev rule, changing rc.S startup script and of course setting up the encrypted partitions to take a keyfile as authentication. But it does NO error checking at all.
#!/bin/bash
#CALL WITH NO ARGUMENTS TO DAEMONIZE, WITH manual TO KEEP IN FOREGROUND,
#AND WITH disconnect TO DISCONNECT ENCRYPTED PARTITIONS.
export PATH="/sbin:/bin:/usr/sbin:/usr/bin"
#MUST DAEMONIZE WHEN USING udev TO PREVENT FREEZING STARTUP SEQUENCE
if [ $# -eq 0 ]; then
exec $0 daemon &
fi
#disconnect IS CALLED BY rc.0 AND rc.6
if [ "$1" == "disconnect" ]; then
key-umount /root
clear-all
clear-data
clear-system
umount /mnt/keys
exit
fi
if [ "$1" != "daemon" ] && [ "$1" != "manual" ]; then
exit 1
fi
#CHECK THE ACTION TYPE WHICH IS SET BY udev
if [ "$ACTION" == "remove" ]; then
exit
fi
#CHECK FILE SYSTEM THEN MOUNT
function setup_fs() # dev mount key
{
check="internal_check"
[ `grep -c " \`readlink -f \"$2\"\` " /proc/mounts` -eq 0 ] && \
loop-fs "$1" $check $3 && \
fsck /dev/mapper/$check
unloop-fs $check
key-mount "$1" "$2" $3
}
#MAKE SURE udev SET UP A THE SYMLINK
if [ ! -b "/dev/keys" ]; then
exit 1
fi
#SET UP MOUNT POINT FOR USB DEVICE
install -d /mnt/keys
if [ ! -d "/mnt/keys" ]; then
exit 1
fi
#MOUNT USB DEVICE
if [ `grep -c "/dev/keys" /proc/mounts` -eq 0 ] && \
! ( mount /dev/keys /mnt/keys -r -o noexec ); then
exit 1
fi
#MAKE SURE PERTINENT key-scripts ARE EXECUTABLE
if [ ! -x "`which system-keys`" ] || [ ! -x "`which data-keys`" ] || \
[ ! -x "`which key-mount`" ] || [ ! -x "`which clear-data`" ] || \
[ ! -x "`which clear-system`" ]; then
exit 1
fi
#LOAD SYSTEM AND DATA KEYS (BASED ON /etc/key-scripts.conf)
system-keys
data-keys
#USE SHELL FUNCTION TO CHECK AND MOUNT A PARTITION (THIS IS AN IMAGE)
#BLUE ARGUMENT IS THE NAME OF THE KEY
setup_fs /root/root.vault /root system/home "-o sync"
#UNLOAD SYSTEM AND DATA KEYS
clear-data
clear-system
#UNMOUNT USB DEVICE
umount /mnt/keys
I keep the scripts I posted in the other thread in /usr/sbin so that I can start my system with the USB device attached and the partitions will automatically mount. It will also work to start it without the USB device then insert it at any time later.
ta0kira
PS Here is my /etc/key-scripts.conf:
Code:
KEY_MOUNT="/mnt/keys"
KEY_TABLES="tables"
SYSTEM_KEYS="system"
DATA_KEYS="data"
USER_KEY_IMG="users"
SYSTEM_KEY_IMG="master"
SYSTEM_CODE="[this will be on the device]"
DATA_CODE="system/data"
NO_CONFIRM="true"
PPS You don't need to go through all of the system-keys/data-keys business unless you want the key itself encrypted on the USB device. To just leave it in the open, take out the lines in red.
Yeah, I suppose I do need to update and clarify the howtos and add some more comments to the scripts. I actually haven't read through them myself for quite a while.
ta0kira
PS It sounds like all you really need is the fastdm script. All of the others are for a specific purpose, but you can do everything you need to with that (plus losetup if you plan to use images instead of devices.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.