[Pkg-cryptsetup-devel] Bug#471727: cryptsetup: out-of-the-box support for using an USB stick as a key
Christian Pernegger
pernegger at gmail.com
Wed Mar 19 19:23:40 UTC 2008
Package: cryptsetup
Version: 2:1.0.6~pre1+svn45-1
Severity: wishlist
I'd like to be able to use a small USB stick as a physical "key" to my
system. There are various mini-HOWTOs and keyscripts floating around
that describe people's custom implementations of this but I think
having this as a supported feature in Debian would be better than a
bunch of custom solutions.
The following functionality would be needed:
1) A small tool that prepares an USB stick (or other removable media)
to be used as the "key". There's of course various ways to put the key
onto the media, at the moment I'm favouring
- wipe the stick using badblocks -w -t random or dd if=/dev/urandom
- make a filesystem on the stick, possibly on a partition if it is
customary to partition them. This would probably be VFAT. The
partition / filesystem should be *slightly smaller* than the media,
leaving a few bytes of space, probably at the end.
- put an UUID / magic number at the start of the free space
- create the key(s) by dd-ing it / them directly from /dev/random to the free
space on the media at intervals.
- add this key as a luks key.
2) A keyscript that looks for the UUID / magic number on candidate
media and reads the appropriate key. The key field in /etc/crypttab
that's passed as the parameter would be of the form 'UUID:keynumber'.
The keyscript should fallback to passphrase input on console when the
correct key is not found. That adds a safety net for lost USB key IF
you have a passphrase key defined as well.
I realize this scheme is rather elaborate, I'd settle for a documented
and shipped-by-default keyscript that can mount partitions by
(filesystem) UUID and read the key from there.
Regards,
C.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.24-3 The Linux Kernel Device Mapper use
ii libc6 2.7-6 GNU C Library: Shared libraries
ii libdevmapper1.02.1 2:1.02.24-3 The Linux Kernel Device Mapper use
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libuuid1 1.40.6-1 universally unique id library
cryptsetup recommends no packages.
-- no debconf information
More information about the Pkg-cryptsetup-devel
mailing list