[Pkg-cryptsetup-devel] Bug#430712: cryptsetup: script to add support for keys on usb stick if root fs is luks-encrypted
Yves-Alexis Perez
corsac at corsac.net
Tue Jun 26 18:51:32 UTC 2007
Package: cryptsetup
Version: 2:1.0.4+svn29-1
Severity: wishlist
Hi,
attached is a script I wrote to enable support for "key on usb token",
if the root fs is luks-encrypted. You just have to add the keyscript=
option in the crypttab, and put the correct UUID in the script. It's a
first version and could surely be improved, but I find it useful.
It can be used if the partition on the token is luks-encrypted too, and
will ask for the passphrase.
I guess it could be provided in examples, like usbcrypto.mkinitrd.gz,
wich works only with mkinitrd, not in Debian anymore.
My script only works with initramfs-tools, as yaird doesn't seem to
support keyscripts.
Regards,
--
Yves-Alexis Perez
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.21-1-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.20-1 The Linux Kernel Device Mapper use
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libdevma 2:1.02.20-1 The Linux Kernel Device Mapper use
ii libgcryp 1.2.4-2 LGPL Crypto library - runtime libr
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libuuid1 1.39+1.40-WIP-2007.04.07+dfsg-2 universally unique id library
cryptsetup recommends no packages.
-- no debconf information
-------------- next part --------------
# initramfs script for encrypted root fs with key on usb token.
# (c) 2006 Yves-Alexis Perez <corsac at corsac.net>
# This code is released under the terms of the GNU GPL
# This scripts looks for a file named root.key on a usb stick with defined
# UUID.
# What you have to do is:
# * create a key for your root filesystem on your usb stick, named root.key
# dd if=/dev/urandom of=/media/usbstick/root.key bs=32 count=1
# crypsetup luksAddKey /dev/sda5 /media/usbstick/root.key
# * look for the UUID of this usb stick (check in /dev/disk/by-uuid/) and
# add it for the UUID variable
# * add keyscript=/path/to/keyscript in /etc/crypttab options, like:
# sda5_crypt /dev/sda5 none luks,keyscript=/etc/keyscripts/usbkey
# (be sure that it is executable).
#
# The usb stick can have a luks-encrypted filesystem, it's transparent and the
# script will ask for the passphrase.
# This script only works if you use an initrd made with initramfs-tools, not
# yaird.
#
# Configuration:
UUID=""
# nothing should be edited below.
DEVICE="/dev/disk/by-uuid/$UUID"
modprobe uhci-hcd
modprobe ehci-hcd
modprobe usb-storage
modprobe sd-mod
echo "root disk encrypted, please provide keys on usb stick." >&2
echo -n "waiting for usb stick $UUID " >&2
while [ ! -e /dev/disk/by-uuid/$UUID ]; do
echo -n "." >&2
/bin/sleep 0.5
done
echo " " >&2
echo "usb stick present" >&2
# is the usb stick encrypted?
if /sbin/cryptsetup isLuks /dev/disk/by-uuid/$UUID >&2 ; then
echo "usb stick is encrypted, please provide passphrase to open it" >&2
/sbin/cryptsetup luksOpen /dev/disk/by-uuid/$UUID $UUID >&2
if [ $? -ne 0 ]; then
echo "usb stick can't be opened: bad passphrase?" >&2
# we let local-top/cryptroot handle the 3 tries...
exit
fi
DEVICE="/dev/mapper/$UUID"
fi
echo -n "looking for key" >&2
[ -d /etc/keys ] || mkdir /etc/keys
while [ ! -f /etc/keys/root.key ]; do
echo -n "." >&2
/bin/sleep 0.1
if ! mount -t ext2 -n $DEVICE /etc/keys -o ro >&2;
then continue;
fi
done
echo " found." >&2
# initrd waits for us to output the key so it can pipe it to cryptsetup.
cat /etc/keys/root.key
# Cleaning up...
umount -n /etc/keys >&2
if [ -e /dev/mapper/$UUID ]; then
/sbin/cryptsetup luksClose $UUID
fi
# vim set ft=sh tw=0
More information about the Pkg-cryptsetup-devel
mailing list