[Pkg-cryptsetup-devel] gpg key
Jonas Meurer
jonas at freesources.org
Tue Sep 5 23:20:08 UTC 2006
On 05/09/2006 Håvard Moen wrote:
> Hi, I've looked at what need to be done to get gpg in cryptsetup working. The
> changes needed in decrypt_gpg in /lib/cryptsetup/cryptdisks.functions is:
> - gpg needs access to the keyrings. Setting HOME to somewhere with a working
> .gpg directory solves this
> - tempfile creates a file, which makes it necessary for gpg to owerwrite it.
> Either the file needs to be removed after running tempfile, tempfile can be
> changed to something like mktemp -u or --yes is needed as an extra option to
> gpg.
> - --no-tty is needed as an option to gpg to avoid gpg exiting because it can
> not open /dev/tty
> - And of course in line 271 gnupg needs to be changed to gpg, but I reccon
> that was intentional
>
> Can I also suggest that you use shred -u instead of rm in clean_keys, as /tmp
> may be mounted on an insecure volume.
please take a look at man crypttab(5) from cryptsetup 1.0.4~rc2-1 (in
unstable). it introduces a new option 'keyscript'. if you set
keyscript=/scripts/gpg_key.sh, cryptdisks will run
'/scripts/gpg_key.sh keyfile' and use it's output as key.
so all you need to do, is write a script which takes the key as
argument, decodes it with gnupg, and pipes the result to stdout.
this implementation no longer uses tempfiles at all. everything is done
with pipes, so no security issue with insecure filesystems an longer.
i hope that this is what you were searching for.
...
jonas
More information about the Pkg-cryptsetup-devel
mailing list