[pkg-cryptsetup-devel] Bug#746806: cryptsetup: Patch to get cryptokey from external device (e.g. USB stick)
Ole Tange
debian.org at tange.dk
Sat May 3 20:11:48 UTC 2014
Package: cryptsetup
Version: 2:1.4.3-4
Severity: wishlist
Dear Maintainer,
I use cryptosetup so that I can send disks for repairs without worrying about confidential data on the
disks. I would love to use cryptsetup on servers, but I need to be able to reboot the servers without
having to enter the passphrase.
It would be ideal to me if I could simply have a small USB stick containing a passphrase that will
unlock the disk. Not only would that be handy for servers (where you could leave the USB stick in the
server), it would also be great for my laptop: Insert the USB stick when booting and remove it after
unlocking the cryptodisk.
I have now written a patch that will search all devices for the file 'cryptkey.txt' and try decrypting
with each line as a key.
The patch is released under the same license as /usr/share/initramfs-tools/scripts/local-top/cryptroot
Regards,
Ole Tange
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot 2012-11-16 09:24:09.000000000 +0100
+++ /tmp/cryptroot 2014-05-03 21:52:18.537256317 +0200
@@ -263,11 +263,19 @@
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
count=$(( $count + 1 ))
- if [ $count -gt 1 ]; then
- /bin/sleep 3
- fi
+ /bin/sleep 3
if [ -z "$cryptkeyscript" ]; then
+ # Test all devices
+ mkdir /mnt
+ echo -n "Searching for cryptkey.txt on available disks... "
+ for PART in `cat /proc/partitions |awk '{print $4}'|tail -n +3`; do
+ if mount /dev/$PART /mnt 2>/dev/null; then
+ cat /mnt/cryptkey.txt >> /tmp/cryptkeys.txt 2>/dev/null
+ umount /dev/$PART
+ fi
+ done
+ echo "done."
cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript="plymouth ask-for-password --prompt"
@@ -279,10 +287,24 @@
if [ ! -e "$NEWROOT" ]; then
- if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
+ KEYFOUND=0
+ if [ -e /tmp/cryptkeys.txt ] ; then
+ echo Trying keys from cryptkey.txt
+ for KEY in `cat /tmp/cryptkeys.txt`; do
+ if crypttarget="$crypttarget" cryptsource="$cryptsource" \
+ echo -n $KEY | $cryptcreate --key-file=- ; then
+ # Found the key
+ echo Key found in cryptkey.txt
+ KEYFOUND=1
+ KEY=""
+ fi
+ done
+ rm /tmp/cryptkeys.txt
+ fi
+ if [ "$KEYFOUND" = "0" ]; then
+ if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
message "cryptsetup: cryptsetup failed, bad password or options?"
continue
+ fi
fi
fi
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-4-amd64 root=/dev/mapper/nlv-root ro quiet
-- /etc/crypttab
sda5_crypt UUID=b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b none luks
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/nlv-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=944f19d7-138a-4270-b42f-a5322a57b047 /boot ext2 defaults 0 2
/dev/mapper/nlv-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /media/usb0 auto rw,user,noauto 0 0
/dev/sdb2 /media/usb1 auto rw,user,noauto 0 0
-- lsmod
Module Size Used by
parport_pc 22364 0
ppdev 12763 0
lp 17149 0
parport 31858 3 lp,ppdev,parport_pc
bnep 17567 2
rfcomm 33700 10
autofs4 27628 1
uinput 17440 1
nfsd 216170 2
nfs 308353 0
nfs_acl 12511 2 nfs,nfsd
auth_rpcgss 37143 2 nfs,nfsd
fscache 36739 1 nfs
lockd 67306 2 nfs,nfsd
sunrpc 173730 6 lockd,auth_rpcgss,nfs_acl,nfs,nfsd
ext2 59231 1
loop 22641 0
snd_hda_codec_idt 53792 1
joydev 17266 0
snd_hda_intel 26259 0
snd_hda_codec 78031 2 snd_hda_intel,snd_hda_codec_idt
btusb 17502 2
uvcvideo 57744 0
snd_hwdep 13186 1 snd_hda_codec
videodev 70889 1 uvcvideo
v4l2_compat_ioctl32 16655 1 videodev
hp_wmi 13329 0
bluetooth 119455 23 btusb,rfcomm,bnep
snd_pcm 68083 2 snd_hda_codec,snd_hda_intel
acpi_cpufreq 12935 0
sparse_keymap 12760 1 hp_wmi
media 18148 2 videodev,uvcvideo
snd_page_alloc 13003 2 snd_pcm,snd_hda_intel
i2c_core 23876 1 videodev
mperf 12453 1 acpi_cpufreq
wmi 13243 1 hp_wmi
psmouse 69265 0
rfkill 19012 3 bluetooth,hp_wmi
iTCO_wdt 17081 0
iTCO_vendor_support 12704 1 iTCO_wdt
hp_accel 25200 0
lis3lv02d 17881 1 hp_accel
pcspkr 12579 0
serio_raw 12931 0
input_polldev 12906 1 lis3lv02d
evdev 17562 8
snd_seq 45126 0
snd_seq_device 13176 1 snd_seq
snd_timer 22917 2 snd_seq,snd_pcm
snd 52889 8 snd_timer,snd_seq_device,snd_seq,snd_pcm,snd_hwdep,snd_hda_codec,snd_hda_intel,snd_hda_codec_idt
video 17683 0
processor 28149 5 acpi_cpufreq
container 12581 0
battery 13146 0
ac 12624 0
coretemp 12898 0
button 12937 0
soundcore 13065 1 snd
power_supply 13475 2 ac,battery
ext4 350763 1
crc16 12343 2 ext4,bluetooth
jbd2 62115 1 ext4
mbcache 13114 2 ext4,ext2
xts 12645 8
gf128mul 13048 1 xts
dm_crypt 22586 1
dm_mod 63645 9 dm_crypt
md_mod 87742 0
vfat 17316 0
fat 45642 1 vfat
nls_cp437 16553 0
nls_utf8 12456 0
uhci_hcd 26865 0
sg 25874 0
sr_mod 21899 0
sd_mod 36136 4
cdrom 35401 1 sr_mod
crc_t10dif 12348 1 sd_mod
usb_storage 43870 1
crc32c_intel 12747 0
ghash_clmulni_intel 13130 0
ehci_hcd 40249 0
thermal 17383 0
thermal_sys 18040 3 thermal,processor,video
ahci 24997 2
aesni_intel 50667 32
libahci 22941 1 ahci
aes_x86_64 16843 1 aesni_intel
libata 140630 2 libahci,ahci
scsi_mod 162269 5 libata,usb_storage,sd_mod,sr_mod,sg
xhci_hcd 73434 0
aes_generic 33026 2 aes_x86_64,aesni_intel
cryptd 14517 10 aesni_intel,ghash_clmulni_intel
r8169 47008 0
mii 12675 1 r8169
usbcore 128741 7 xhci_hcd,ehci_hcd,usb_storage,uhci_hcd,uvcvideo,btusb
usb_common 12354 1 usbcore
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.4.3-4
ii debconf [debconf-2.0] 1.5.49
ii dmsetup 2:1.02.74-8
ii libc6 2.13-38+deb7u1
Versions of packages cryptsetup recommends:
ii busybox 1:1.20.0-7
ii console-setup 1.88
ii initramfs-tools [linux-initramfs-tool] 0.109.1
ii kbd 1.15.3-9
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.13-1
ii liblocale-gettext-perl 1.05-7+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
More information about the pkg-cryptsetup-devel
mailing list