[pkg-cryptsetup-devel] "Universal" keyscript for LVM encrypted systems with key on removable device
Swâmi Petaramesh
swami at petaramesh.org
Tue Jul 22 06:04:58 UTC 2008
Hi folks,
Debian and Ubuntu installers include a "standard" way of building a
fully-encrypted machine on a LUKS-encrypted LVM.
On top of this, I have written a more or less "universal" keyscript allowing
the machine's LVM key to reside as a file on a removable device (i.e. USB key
or SD-card) so this removable device will be the "key" for using the machine.
That's quite convenient.
The removable device partition on which the keyfile resides can be FAT,
ext2/3, or itself a LUKS-encrypted partition in which case the bootkeyscript
will prompt for its passphrase for unlocking it and getting the key to the
machine's main encrypted LVM. This allows for "two form factor
authentication".
My script is rather automagic and doesn't need much more than being installed
somewhere on the machine (typically /usr/local/sbin) and mentioned
in /etc/crypttab before the initramfs is regenerated.
It doesn't need no change to the standard Debian or Ubuntu encrypted LVM setup
or initramfs (besides mentioning the needed kernel modules for accessing the
removable device in /etc/initramfs-tools/modules and optionally adding 2
2-lines scripts in /etc/initramfs-tools/hooks for including a couple optional
binaries in the initramfs.)
The partition on which the keyfile resides can be mentioned in /etc/crypttab
either by its device name (sdb1) or LABEL or fs UUID (for unencryted fs), or
LUKS volume UUID (for encrypted fs), allowing it to work on machines on which
the device ID where the key device is inserted may change from one boot to
another.
My keyscript can be downloaded from :
http://petaramesh.org/public/arc/projects/cryptsetup/bootkeyscript
And its GPG signature from :
http://petaramesh.org/public/arc/projects/cryptsetup/bootkeyscript.asc
A detailed article is available at :
http://petaramesh.org/post/2007/11/29/Une-cle-de-contact-pour-votre-portable-chiffre
It's in French, but has a shorter English summary at end.
This script has been extensively tested and is daily used with Ubuntu Gutsy
and Hardy on several laptops using either USB sticks or SD cards as key
devices. It works plain good.
That's GPL and I would love this script to become part of the
official "cryptsetup" package for Debian / Ubuntu.
Please Cc: me on answers, as I'm not susbscribed to the dm-crypt mailing-list.
Best regards.
--
Swâmi Petaramesh <swami at petaramesh.org> http://petaramesh.org PGP 9076E32E
Il est souvent trop tôt pour savoir s'il n'est pas
trop tard.
-- Pierre Dac
More information about the pkg-cryptsetup-devel
mailing list