[Pkg-cryptsetup-devel] Bug#471727: cryptsetup: out-of-the-box support for using an USB stick as a key

Christian Pernegger pernegger at gmail.com
Wed Mar 19 19:23:40 UTC 2008 

Package: cryptsetup
Version: 2:1.0.6~pre1+svn45-1
Severity: wishlist


I'd like to be able to use a small USB stick as a physical "key" to my
system. There are various mini-HOWTOs and keyscripts floating around
that describe people's custom implementations of this but I think
having this as a supported feature in Debian would be better than a
bunch of custom solutions.

The following functionality would be needed:

1) A small tool that prepares an USB stick (or other removable media)
to be used as the "key". There's of course various ways to put the key
onto the media, at the moment I'm favouring

- wipe the stick using badblocks -w -t random or dd if=/dev/urandom
- make a filesystem on the stick, possibly on a partition if it is
  customary to partition them. This would probably be VFAT. The
  partition / filesystem should be *slightly smaller* than the media,
  leaving a few bytes of space, probably at the end.
- put an UUID / magic number at the start of the free space 
- create the key(s) by dd-ing it / them directly from /dev/random to the free
  space on the media at intervals.
- add this key as a luks key.

2) A keyscript that looks for the UUID / magic number on candidate
media and reads the appropriate key. The key field in /etc/crypttab
that's passed as the parameter would be of the form 'UUID:keynumber'.

The keyscript should fallback to passphrase input on console when the
correct key is not found. That adds a safety net for lost USB key IF
you have a passphrase key defined as well.

I realize this scheme is rather elaborate, I'd settle for a documented
and shipped-by-default keyscript that can mount partitions by
(filesystem) UUID and read the key from there.  


Regards,

C.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.24-3 The Linux Kernel Device Mapper use
ii  libc6                        2.7-6       GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.24-3 The Linux Kernel Device Mapper use
ii  libpopt0                     1.10-3      lib for parsing cmdline parameters
ii  libuuid1                     1.40.6-1    universally unique id library

cryptsetup recommends no packages.

-- no debconf information

More information about the Pkg-cryptsetup-devel mailing list