[pkg-cryptsetup-devel] Bug#563961: cryptsetup: Please support single passphrase prompt for multiple volumes
Harald Braumann
harry at unheit.net
Wed Jan 6 16:56:45 UTC 2010
Package: cryptsetup
Version: 2:1.1.0~rc2-1
Severity: wishlist
Hi,
cryptsetup should support decrypting multiple volumes with the same passphrase
and only prompt for it once.
Attached is a script which can be used as a `keyscript'. It prompts for the
passphrase and stores it in a key ring for a short amount of time using Linux'
key retention facility. Further passphrase requests are satisfied from the
stored value without prompting again.
This works quite well, however there are a view problems:
- only works on Linux
- the passphrase is stored for some time and might be exposed (at least
root can dump the stored passphrase)
- the passphrase is piped between processes and might end up in
unsecure memory and be written to swap
The script contains more detailed documentation.
A better approach would be to add support for this functionality to cryptsetup.
Cryptsetup could then decrypt all volumes that belong to the same group at once
and there would be no need to retain the passphrase. I'm not sure, if there would
be problems if the root volume is part of such a group, because then all the
volumes would have to be decrypted at the time the root volume is decrypted, which
happens very early in the boot process.
Until a better solution is found, the attached script could be included in the
package as an example.
Cheers,
harry
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32.2-hb (SMP w/1 CPU core)
Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.39-1 The Linux Kernel Device Mapper use
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libdevmapper1.02.1 2:1.02.39-1 The Linux Kernel Device Mapper use
ii libpopt0 1.15-1 lib for parsing cmdline parameters
ii libuuid1 2.16.2-0 Universally Unique ID library
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.6-1 utilities for making and checking
ii initramfs-tools [linux-initra 0.93.4 tools for generating an initramfs
ii udev 149-2 /dev/ and hotplug management daemo
-- no debconf information
More information about the pkg-cryptsetup-devel
mailing list