Bug#390514: [Pkg-cryptsetup-devel] Bug#390514: cryptsetup doesn't work with SSL encrypted keys

David Härdeman david at hardeman.nu
Thu Oct 5 08:00:29 UTC 2006 

On Sun, October 1, 2006 18:29, Stephan Seitz said:
> I used the script /usr/share/doc/cryptsetup/examples/gen-ssl-key to
> generate a encrypted key, decrypted it and added it with luksAddKey.
> Then I changed /etc/crypttab to the path of SSL encrypted key and added
> the keyword ssl. But /etc/init.d/cryptdisks couldn’t activate the
> partition.

It should hopefully be able to do so if you use the option
keyscript=/lib/cryptsetup/scripts/decrypt_ssl instead of just "ssl", more
explanation below.

> 1. The function decrypt_ssl is available in
> /lib/cryptsetup/cryptdisks.functions as well as in
> /lib/cryptsetup/scripts/decrypt_ssl. It seems, the first is used.
> Both functions are different.
>
> 2. The function in /lib/cryptsetup/cryptdisks.functions begins like the
> other one, but then asks for a second passphrase to decrypt the
> previously decrypted key. This contradicts with gen-ssl-key which only
> uses one passphrase. I’ve changed the function to only ask for one
> passphrase like in /lib/cryptsetup/scripts/decrypt_ssl (see patch).

Actually the key decryption stuff is in a bit of flux. The keyscript
option is a recent addition to the /etc/crypttab file, and it is going to
deprecate both the ssl and gpg options.

Now, there is a decrypt_ssl script already in /lib/cryptsetup/scripts/,
but it uses a different method compared to what the old "ssl" option did
(the old method wasn't very good btw). I've already committed some changes
to cryptsetup SVN repo which adds a decrypt_old_ssl script (which works
like the old "ssl" option) in addition to decrypt_ssl.

For now, I'd suggest you either: wait for the new release, help test the
SVN version (once I've had time to do some more work on it), or use the
keyscript option in /etc/crypttab instead of the "ssl" option.

> 3. Neither decrypt_ssl (nor decrypt_gpg) are protecting the passphrase
> against spaces by using quotation marks (see patch).

I'll make sure its fixed in the /lib/cryptsetup/scripts/...

> 4. You are using „read -s” to read the passphrase from the command
> line
> (silent mode), but the option -s only works with bash. If /bin/sh is
> linked to dash, it doesn’t work. I had to change /etc/init./cryptdisks
> to
> use /bin/bash instead of /bin/sh.

I'll take a look at it

> 5. Now it works. The next step would be solving the problem how a normal
> user could use cryptsetup to activiate a encrypted partition or an
> encrypted removable device.

I think Gnome already has support for mounting luks-encrypted removable
storage (e.g. USB keys). The gnome-volume-manager changelog suggests its
been available since the beginning of this year.

-- 
David Härdeman

More information about the Pkg-cryptsetup-devel mailing list