[pkg-cryptsetup-devel] Bug#563961: Bug#563961: cryptsetup: Please support single passphrase prompt for multiple volumes
Michael Gebetsroither
gebi at sbox.tugraz.at
Wed Jan 6 18:35:27 UTC 2010
Harald Braumann wrote:
Hallo Harald,
> cryptsetup should support decrypting multiple volumes with the same passphrase
> and only prompt for it once.
>
> Attached is a script which can be used as a `keyscript'. It prompts for the
> passphrase and stores it in a key ring for a short amount of time using Linux'
> key retention facility. Further passphrase requests are satisfied from the
> stored value without prompting again.
Your attachment seems to be missing.
Though i've written a similar script some time ago and just fixed a few
things up.
The script can be found on github with additional Dokumentation:
http://github.com/gebi/keyctl_keyscript/blob/master/keyctl_keyscript
http://github.com/gebi/keyctl_keyscript
> This works quite well, however there are a view problems:
> - only works on Linux
no problem, as dm-crypt is linux only
> - the passphrase is stored for some time and might be exposed (at least
> root can dump the stored passphrase)
root can get the passphrase anyway.
> - the passphrase is piped between processes and might end up in
> unsecure memory and be written to swap
This is not nice, ack!
Though it's not that smart to have crypto filesystems without crypted swap.
> A better approach would be to add support for this functionality to cryptsetup.
> Cryptsetup could then decrypt all volumes that belong to the same group at once
> and there would be no need to retain the passphrase. I'm not sure, if there would
> be problems if the root volume is part of such a group, because then all the
> volumes would have to be decrypted at the time the root volume is decrypted, which
> happens very early in the boot process.
At least a option to get cryptsetup to cache the passphrase in a
specific keyring would be nice, and _only_ cache it if the passphrase
was correct. This would also remove the problem with passphrase piping
and possible ending in unsecure memory.
michael
More information about the pkg-cryptsetup-devel
mailing list