LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 11-23-2015, 10:32 AM   #1
WLD
LQ Newbie
 
Registered: Nov 2015
Location: UK
Distribution: Slack64-current, Slack64-14.1, Slack-13.37, RISC OS
Posts: 16

Rep: Reputation: Disabled
Slackware-current patch for improved /etc/crypttab handling; RFC


Hi folks,

I see there has been some discussion in the past about better support for handling /etc/crypttab but nothing is around in slackware-current. We've had to implement our own support for some devices, amongst other security related improvements we will look to be contributing.

Keen for comments on this patch.

Many thanks,
WLD


Code:
Updated init scripts to better support options for dm-crypt settings, now
supporting encrypted tmp as well as swap, more robust and uniform parsing of
crypttab in rc.6, some helpful hint text in crypttab to encourage users to
try out encryption, and a general sprinkling of refinement to bring support
more in-line with other distros.  See http://linux.die.net/man/5/crypttab
---
 crypttab  | 12 ++++++++++++
 rc.d/rc.6 | 26 ++++++++++++++++----------
 rc.d/rc.S | 22 +++++++++++++---------
 3 files changed, 41 insertions(+), 19 deletions(-)

diff --git a/crypttab b/crypttab
index 8b13789..1f3297c 100644
--- a/crypttab
+++ b/crypttab
@@ -1 +1,13 @@
+# Specifies encrypted devices which are automatically opened and closed as may
+# be required. If Options field is "swap" or "tmp" you will get an encrypted
+# mkswap or mke2fs partition with a random key that is NOT recoverable upon
+# system shutdown as unencrypted versions of swap and tmp will overwrite them.
 
+# Password can be a string literal or path to a file containing the password.
+# Use "none" or leave empty to be prompted to enter it manually when unlocked.
+
+# Name          Device             Password            Options
+# cryptswap     /dev/sdx1                              swap
+# crypttmp      /dev/sdx2                              tmp
+# crypthome     /dev/sdx3          foobar
+# cryptwork     /dev/sdx4          none                ro
diff --git a/rc.d/rc.6 b/rc.d/rc.6
index 613ac75..fc4e531 100755
--- a/rc.d/rc.6
+++ b/rc.d/rc.6
@@ -236,20 +236,26 @@ echo "Remounting root filesystem read-only:"
 # Close any volumes opened by cryptsetup:
 if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then
   cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
-    # NOTE: we only support LUKS formatted volumes (except for swap)!
-    LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ')
-    DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ')
-    OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ')
+    eval LUKSARRAY=( $line )
+    LUKS="${LUKSARRAY[0]}"
+    DEV="${LUKSARRAY[1]}"
+    PASS="${LUKSARRAY[2]}"
+    OPTS="${LUKSARRAY[3]}"
     if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
       echo "Locking LUKS crypt volume '${LUKS}':"
       /sbin/cryptsetup luksClose ${LUKS}
-    elif echo $OPTS | grep -wq swap ; then
-      # If any of the volumes was used as encrypted swap,
-      # then run mkswap on the underlying device -
-      # in case other Linux installations on this computer should use it:
-      echo "Erasing encrypted swap '${LUKS}' and restoring normal swap on ${DEV}:"
+    elif TYPE="$(echo $PASS | egrep -wo '(swap|tmp)')" ; then
+      # If any of the volumes was used as encrypted swap or tmp, then run mkswap or
+      # mke2fs on the underlying device in case any other compatible OS on this
+      # device might use them after reboot:
+      echo "Erasing encrypted $TYPE '${LUKS}' and restoring normal $TYPE on ${DEV}:"
       /sbin/cryptsetup remove ${LUKS}
-      mkswap $DEV
+      if [ "$TYPE" = "swap" ]; then
+        /sbin/mkswap -L INSECURE $DEV
+      else
+        /sbin/mke2fs -L INSECURE $DEV
+        # Maybe more useful: mkfs.vfat -n INSECURE $DEV
+      fi
     fi
   done
 fi
diff --git a/rc.d/rc.S b/rc.d/rc.S
index 2779188..5e1f422 100755
--- a/rc.d/rc.S
+++ b/rc.d/rc.S
@@ -104,7 +104,7 @@ if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then
     # Try to load a device-mapper kernel module:
     /sbin/modprobe -q dm-mod
   fi
-  # NOTE: we only support LUKS formatted volumes (except for swap)!
+  # NOTE: we only support LUKS formatted volumes (except for swap and tmp)!
   cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
     eval LUKSARRAY=( $line )
     LUKS="${LUKSARRAY[0]}"
@@ -118,22 +118,26 @@ if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then
     /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue
     if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
       echo "Unlocking LUKS crypt volume '${LUKS}' on device '$DEV':"
-      if [ -n "${PASS}" ]; then
+      if [ -n "${PASS}" ] && [ "${PASS}" != "none" ]; then
         if [ -f ${PASS} ]; then
           /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS
-        elif [ "${PASS}" != "none" ]; then
-          # A password field of 'none' indicates a line for swap:
+        else
           echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS
         fi
       else
         /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS </dev/tty0 >/dev/tty0 2>&1
       fi
-    elif echo $OPTS | grep -wq swap ; then
-      # If any of the volumes is to be used as encrypted swap,
-      # then encrypt it using a random key and run mkswap:
-      echo "Creating encrypted swap on device '$DEV' mapped to '${LUKS}':"
+    elif TYPE="$(echo $PASS | egrep -wo '(swap|tmp)')" ; then
+      # If any of the volumes are to be used as encrypted swap or tmp,
+      # then encrypt them using a random key and run mkswap or mke2fs:
+      echo "Creating encrypted $TYPE on device '$DEV' mapped to '${LUKS}':"
       /sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV
-      mkswap /dev/mapper/$LUKS
+      if [ "$TYPE" = "swap" ]; then
+        /sbin/mkswap -L $LUKS /dev/mapper/$LUKS
+      else
+        /sbin/mke2fs -L $LUKS /dev/mapper/$LUKS
+        # If preferred: /sbin/mkreiserfs --format 3.6 -b 1024 -l $LUKS /dev/mapper/$LUKS
+      fi
     fi
   done
 fi
-- 
2.5.1
 
Old 11-25-2015, 10:08 PM   #2
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware64
Posts: 583

Rep: Reputation: 242Reputation: 242Reputation: 242
Not to "poo-poo", but as I understand LUKS, the use of crypttab is no longer required.
Perhaps you care to elaborate on your usage of crypttab to enlighten those of us interested
in cryptography yet lacking a bunch of knowledge... :^)
 
Old 11-25-2015, 10:52 PM   #3
WLD
LQ Newbie
 
Registered: Nov 2015
Location: UK
Distribution: Slack64-current, Slack64-14.1, Slack-13.37, RISC OS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Hi STDOUBT, of course,

Well /etc/crypttab is used in a similar fashion to /etc/fstab to specify partitions to mount that in this instance happen to be encrypted. The crypttab file specifies which LUKS partitions to open on startup (and close on shutdown), specifying which device the partition is on, what the passphrase is (whether a string literal, path to a file containing the passphrase, or whether it should be manually entered). All of this is already existing behaviour in Slackware.

One further thing supported at the moment is the use of encrypted swap which is useful primarily for laptop users (but usable to anyone) who would not want current or historic swap contents to be forensically analysed and recovered. This feature uses a RNG for the key and persists in RAM until shutdown. This makes analysis of the swap partition possible only if the machine is hot and the key is in memory, basically rendering swap unrecoverable after the system is powered off (cleanly or otherwise, provided no data could be extracted from the powered-off DIMMs by quickly cooling them and powering them up again; but that is a whole other topic).

The changes I have proposed in this patch improve the handling of /etc/crypttab to bring it inline with other distros which support encrypted /tmp also, something I use on my laptop and other devices. /tmp is a terrible leak of private information and often defeats the point of an encrypted home directory as lots of files are copied there to be worked on. Although it's pointless encrypting stock binaries, it's generally perfectly fine for a user to encrypt just their home directory (usually with LUKS) but it's misguided to think that your encrypted data never makes its way in to /tmp. For the more paranoid, encrypted swap and encrypted /tmp stop pretty much all forensic analysis of a cold device. Like swap, /tmp is also initialised with a key from an RNG upon startup and upon shutdown the key is destroyed in RAM and the partition is reinitialised as a non-encrypted version in case any other OS on the device might like to make use of it in a multi-boot situation.

With this patch /etc/crypttab can now fully support paranoid users out of the box (and really, we should all be a bit paranoid).

The patch also makes the startup and shutdown handling of parsing /etc/crypttab a bit more uniform, as well as offer a little help text in how to setup /etc/crypttab and what the fields are for as an encouragement for people to try it.

With regards to regular LUKS partitions, these are unlocked in the init scripts when crypttab is read. The swap and /tmp partitions are created in dm-crypt but not used until later on in the init script when all swap devices are activated (and the fact it is encrypted is arbitrary). Encrypted /tmp isn't used by default, it needs a corresponding entry in /etc/fstab. You can think of /etc/crypttab as being an abstraction layer between the disk and /etc/fstab which creates the relevant dm-crypt devices that /etc/fstab then uses to mount various filesystems on later in the boot process. Almost like setting up an underlying RAID device before you try to mount the filesystem it contains; as a crude analogy.

I'd be delighted to answer any other questions and take feedback on this patch which is currently in use on production systems.

Many thanks,
WLD
 
Old 11-09-2019, 01:01 PM   #4
cressidacressida
LQ Newbie
 
Registered: Nov 2019
Posts: 1

Rep: Reputation: Disabled
Thanks, I needed this for encrypted /tmp to work
Used it in 14.2. Just needed minor modification in the rc.S part to patch successfully
 
Old 01-26-2020, 04:05 PM   #5
WLD
LQ Newbie
 
Registered: Nov 2015
Location: UK
Distribution: Slack64-current, Slack64-14.1, Slack-13.37, RISC OS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cressidacressida View Post
Thanks, I needed this for encrypted /tmp to work
Used it in 14.2. Just needed minor modification in the rc.S part to patch successfully
Hi cressidacressida,

I'm glad you found the patch useful. It's for Slackware64-current but I'm glad with minimal changes you got it working on 14.2. Seems according to the changelog that 15.0 will be along soon.

It'd be great if Pat could include this patch in the official init scripts because the changes are minimal but the extra value is enormous; especially for security minded people who are aware of what a threat an exposed /tmp can be.

I note in the latest sysvinit-scripts package there is a small change for processing /etc/inittab to make it more robust with mixed space and tabulator fields, which is what prompted me to revisit this thread. I used the patch I posted as a backup

Best wishes,
WLD
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Re-write of crypttab/cryptsetup handling - Request for peer review, wider testing. GazL Slackware 14 03-02-2015 04:10 PM
Draft RFC for new version of SSH protocol, especially key handling chrism01 Linux - Security 2 04-20-2013 08:49 AM
Is Kernel SCTP (based on RFC 4960) backward compatible with RFC 2960 implementation sajalmalhotra Linux - Networking 0 07-22-2011 12:06 AM
a patch to script 'init' which in mkinitrd-1.4.6-i486-5 - slackware-current hello.freeman Slackware 9 03-17-2011 02:47 PM
[SOLVED] Bug in cryptsetup and/or in rc.S in processing /etc/crypttab in slackware-current fdeak Slackware 2 01-23-2011 09:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 05:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration