[Pkg-cryptsetup-devel] Bug#471727: Bug#471727: cryptsetup: out-of-the-box support for using an USB stick as a key

Jonas Meurer jonas at freesources.org
Wed Mar 19 20:57:04 UTC 2008 

On 19/03/2008 Christian Pernegger wrote:
> I'd like to be able to use a small USB stick as a physical "key" to my
> system. There are various mini-HOWTOs and keyscripts floating around
> that describe people's custom implementations of this but I think
> having this as a supported feature in Debian would be better than a
> bunch of custom solutions.

Hey Christian,

Feel free to provide patches for your suggested implementation. At least
you should provide exact documentation about how to implement it.

> The following functionality would be needed:
> 
> 1) A small tool that prepares an USB stick (or other removable media)
> to be used as the "key". There's of course various ways to put the key
> onto the media, at the moment I'm favouring
> 
> - wipe the stick using badblocks -w -t random or dd if=/dev/urandom
> - make a filesystem on the stick, possibly on a partition if it is
>   customary to partition them. This would probably be VFAT. The
>   partition / filesystem should be *slightly smaller* than the media,
>   leaving a few bytes of space, probably at the end.
> - put an UUID / magic number at the start of the free space 
> - create the key(s) by dd-ing it / them directly from /dev/random to the free
>   space on the media at intervals.
> - add this key as a luks key.

Sounds like an interesting approach, but - as already mentioned - please
at least describe step by step how to actually implement that.

> 2) A keyscript that looks for the UUID / magic number on candidate
> media and reads the appropriate key. The key field in /etc/crypttab
> that's passed as the parameter would be of the form 'UUID:keynumber'.
> 
> The keyscript should fallback to passphrase input on console when the
> correct key is not found. That adds a safety net for lost USB key IF
> you have a passphrase key defined as well.
> 
> I realize this scheme is rather elaborate, I'd settle for a documented
> and shipped-by-default keyscript that can mount partitions by
> (filesystem) UUID and read the key from there.  

greetings,
 jonas

More information about the Pkg-cryptsetup-devel mailing list