[Pkg-cryptsetup-devel] Bug#416528: cryptsetup: Smartcard keyscript
Gerald Turner
gturner at unzane.com
Wed Mar 28 19:29:32 CET 2007
Package: cryptsetup
Version: 2:1.0.4+svn26-1
Severity: wishlist
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've put together some scripts that work with cryptsetup and
initramfs-tools that require a smartcard at boot to decrypt the key
material for a dm-crypt volume.
/lib/cryptsetup/scripts/decrypt_opensc:
Waits for card reader to be attached and card inserted, then prompts
for PIN and outputs the raw key material
/etc/initramfs-tools/hooks/cryptopensc:
Detects whether hooks/cryptroot has installed the decrypt_opensc
script into the initramfs, and if so, installs additional binaries for
reading smartcards at boot (binaries from pcscd and opensc pakcages).
/etc/initramfs-tools/scripts/local-top/cryptopensc:
Detects whether pcscd had been installed in the initramfs and starts
this daemon.
/etc/initramfs-tools/scripts/local-bottom/cryptopensc:
Detects whether pcscd had been installed in the initramfs and stops
this daemon.
The following is an example /etc/crypttab:
root /dev/md2 /boot/keys/root offset=2048,cipher=aes-cbc-essiv:sha256,size=256,hash=plain,check,keyscript=/lib/cryptsetup/scripts/decrypt_opensc
The file /boot/keys/root contains the key material that has been
encrypted with the RSA public key on the smart card. The following
commands were used to create this file:
$ dd if=/dev/random of=key_material bs=1 count=96
$ pkcs15-tool --read-public-key 45 --output public_key
$ openssl rsautl -in key_material \
-pubin -inkey public_key \
-pkcs -out /boot/keys/root
$ shred key_material
The following pages have been very helpful in learning OpenSC in
combination with dm-crypt:
http://keitin.net/jarpatus/projects/usbtoken/index_fin.shtml
http://www.saout.de/tikiwiki/tiki-index.php?page=RSAFirstSectorsMiniHOWTO
Personally I created the private key with OpenSSL rather than let the
card generate the key, this way I can store the same key on a backup
smart card. Also I did not store the encrypted key in the first
sectors of the disk, instead the key is read from an unencrypted /boot
volume.
Speaking of where to store the key, unfortunately LUKS cannot be used
with the symmetric key stored on the smart card, however the following
blog has some neat ideas about making that work:
http://www.readingfordummies.com/blog/archives/2007/02/index.html
Any feedback is welcome at Gerald Turner <gturner at unzane.com>
- -- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.08-1 The Linux Kernel Device Mapper use
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdevma 2:1.02.08-1 The Linux Kernel Device Mapper use
ii libgcryp 1.2.3-2 LGPL Crypto library - runtime libr
ii libgpg-e 1.4-1 library for common error values an
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libuuid1 1.39+1.40-WIP-2006.11.14+dfsg-2 universally unique id library
cryptsetup recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGCrQMP6CBD/qM1tURAvHqAJ9gY7X7yiQ5XJVSN0A0r3JpA05uPwCfeVB0
Aft6p9xeVhTMu0T4OMCAB18=
=s/zv
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptsetup-opensc.tar.gz
Type: application/octet-stream
Size: 1999 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20070328/7811c88e/cryptsetup-opensc.tar.obj
More information about the Pkg-cryptsetup-devel
mailing list