[pkg-cryptsetup-devel] Bug#563961: Bug#563961: cryptsetup: Please support single passphrase prompt for multiple volumes
Harald Braumann
harry at unheit.net
Wed Jan 6 19:50:08 UTC 2010
On Wed, 06 Jan 2010 19:35:27 +0100
Michael Gebetsroither <gebi at sbox.tugraz.at> wrote:
> Harald Braumann wrote:
> Your attachment seems to be missing.
Sorry, attached now.
> Though i've written a similar script some time ago and just fixed a
> few things up.
>
> The script can be found on github with additional Dokumentation:
> http://github.com/gebi/keyctl_keyscript/blob/master/keyctl_keyscript
> http://github.com/gebi/keyctl_keyscript
Seems we had the same idea. Differences are:
- I use /lib/cryptsetup/askpass. I think that this is required if you
use a graphical boot screen
- Retry on wrong password (see below)
> > This works quite well, however there are a view problems:
> > - only works on Linux
>
> no problem, as dm-crypt is linux only
Ah, alright.
> > - the passphrase is stored for some time and might be exposed (at
> > least root can dump the stored passphrase)
>
> root can get the passphrase anyway.
Sure, he can do all sorts of things to sniff the passphrase at
entry time. But if it's retained, it can also be retrieved later. Not
that much of a difference, but still.
>
> > - the passphrase is piped between processes and might end up in
> > unsecure memory and be written to swap
>
> This is not nice, ack!
> Though it's not that smart to have crypto filesystems without crypted
> swap.
Agreed, but while it's already bad enough to leak some sensitive data,
it is much worse to leak the passphrase, because that can be used
to decrypt the whole encrypted volume. Also, this can then be
done offline. And the passphrase might be used for other
encrypted volumes. While it is a user error to not encrypt the swap,
the system should be implemented in a way to minimise the damage.
> At least a option to get cryptsetup to cache the passphrase in a
> specific keyring would be nice, and _only_ cache it if the passphrase
> was correct.
My script already does this to a certain extent. You have to tag
a special entry by appending `:' to the key parameter. In this case it
always asks for the passphrase, even if it is called a second time (in
case the user mistyped). This should be the first entry for the group.
> This would also remove the problem with passphrase piping
> and possible ending in unsecure memory.
Yes, that would be nice.
harry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptgroup.tgz
Type: application/x-compressed-tar
Size: 2038 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20100106/06e11eb6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20100106/06e11eb6/attachment.pgp>
More information about the pkg-cryptsetup-devel
mailing list