[pkg-cryptsetup-devel] Bug#864647: cryptsetup: Patch to get cryptokey from external device (e.g. USB stick)
Ole Tange
debian.org at tange.dk
Mon Jun 12 11:39:08 UTC 2017
Package: cryptsetup
Version: 2:1.6.6-5
Severity: wishlist
Dear Maintainer,
I use cryptosetup so that I can send disks for repairs without worrying about confidential data on the disks. I would love to use cryptsetup on servers, but I need to be able to reboot the servers without having to enter the passphrase.
It would be ideal to me if I could simply have a small USB stick containing a passphrase that will unlock the disk. Not only would that be handy for servers (where you could leave the USB stick in the server), it would also be great for my laptop: Insert the USB stick when booting and remove it after unlocking the cryptodisk.
I have now written a patch that will search all devices for the file 'cryptkey.txt' and try decrypting with each line as a key.
The patch is released under the same license as /usr/share/initramfs-tools/scripts/local-top/cryptroot
I am aware of the “passdev” keyscript (/usr/share/doc/cryptsetup/README.initramfs.gz section 10). My patch has the following advantages:
* It searches every partition being connected. This gives 2 advantages:
- You do not need to change the line in cryptsetup, but can have that be the same for all servers.
- You do not need to remember the label of the USB-disk if the USB-disk breaks.
* It tries all lines as a key. This way you can unlock many machines with different keys with a single USB-disk.
* It is easy to get working. Creating a USB-disk with the key can be done on a Microsoft Windows machine with no special software. So even beginners can do this.
* It is safe: Trying to get passdev to work I managed to make my server unbootable - it got stuck in a loop looking for the USB-disk, and it never gave me the option to enter the key manually even though I had put in a 10 seconds timeout. It took an hour to get the system working again - and I never got passdev to work. With my patch you simply enter the passphrase as normally, if the automation fails.
(I was unable to reopen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746806)
/Ole
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=/dev/mapper/nlv-root ro quiet
-- /etc/crypttab
#sda5_crypt UUID=b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b none luks
luks-b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b UUID=b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b none luks
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/nlv-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=944f19d7-138a-4270-b42f-a5322a57b047 /boot ext2 defaults 0 2
/dev/mapper/nlv-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /media/usb0 auto rw,user,noauto 0 0
/dev/sdb2 /media/usb1 auto rw,user,noauto 0 0
#LABEL=freeagent /mnt/freeagent auto rw,relatime,data=journal,auto 0 0
LABEL=freeagent /mnt/freeagent auto rw,relatime,data=ordered,auto 0 0
#LABEL=freeagent /mnt/freeagent auto rw,relatime,data=writeback,auto 0 0
tmpfs /mnt/ram tmpfs rw,noexec,nosuid,size=5%,mode=1777 0 0
-- lsmod
Module Size Used by
xt_nat 12601 1
xt_tcpudp 12527 3
veth 13095 0
xt_conntrack 12681 1
ipt_MASQUERADE 12594 2
iptable_nat 12646 1
nf_conntrack_ipv4 18448 2
nf_defrag_ipv4 12483 1 nf_conntrack_ipv4
nf_nat_ipv4 12912 1 iptable_nat
xt_addrtype 12557 2
iptable_filter 12536 1
ip_tables 21711 2 iptable_filter,iptable_nat
x_tables 27399 7 ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,xt_nat,iptable_filter,xt_addrtype
nf_nat 18241 4 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,iptable_nat
nf_conntrack 87424 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
bridge 106162 0
stp 12437 1 bridge
llc 12745 2 stp,bridge
aufs 199570 277
cpufreq_powersave 12454 0
binfmt_misc 16949 1
cpufreq_stats 12782 0
cpufreq_userspace 12525 0
cpufreq_conservative 14184 0
bnep 17431 2
nfsd 262938 2
auth_rpcgss 51209 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl 12511 1 nfsd
nfs 192232 0
lockd 83389 2 nfs,nfsd
fscache 45542 1 nfs
sunrpc 237406 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ecb 12737 1
btusb 29721 0
bluetooth 374429 21 bnep,btusb
6lowpan_iphc 16588 1 bluetooth
hp_wmi 13238 0
iTCO_wdt 12831 0
iTCO_vendor_support 12649 1 iTCO_wdt
sparse_keymap 12818 1 hp_wmi
x86_pkg_temp_thermal 12951 0
intel_powerclamp 17159 0
intel_rapl 17356 0
coretemp 12820 0
kvm 392936 0
snd_hda_codec_hdmi 45118 2
iwlwifi 96547 0
cfg80211 413828 1 iwlwifi
i915 841331 1
rfkill 18867 4 cfg80211,hp_wmi,bluetooth
snd_hda_codec_idt 48946 1
snd_hda_codec_generic 63181 1 snd_hda_codec_idt
drm_kms_helper 49210 1 i915
snd_hda_intel 26407 0
hp_accel 25200 0
tpm_infineon 16844 0
pcspkr 12595 0
joydev 17063 0
lis3lv02d 17883 1 hp_accel
shpchp 31121 0
drm 249998 3 i915,drm_kms_helper
snd_hda_controller 26646 1 snd_hda_intel
snd_hda_codec 104500 5 snd_hda_codec_hdmi,snd_hda_codec_idt,snd_hda_codec_generic,snd_hda_intel,snd_hda_controller
snd_hwdep 13148 1 snd_hda_codec
wmi 17339 1 hp_wmi
evdev 17445 17
snd_pcm 88662 4 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel,snd_hda_controller
snd_timer 26720 1 snd_pcm
snd 65338 8 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_idt,snd_pcm,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel
serio_raw 12849 0
input_polldev 13118 1 lis3lv02d
i2c_algo_bit 12751 1 i915
tpm_tis 17231 0
i2c_core 46012 4 drm,i915,drm_kms_helper,i2c_algo_bit
tpm 31511 2 tpm_tis,tpm_infineon
soundcore 13026 2 snd,snd_hda_codec
video 18096 1 i915
button 12944 1 i915
battery 13356 0
lpc_ich 20768 0
mfd_core 12601 1 lpc_ich
mei_me 17941 0
mei 74977 1 mei_me
processor 28221 0
ac 12715 0
loop 26605 1
fuse 83350 1
parport_pc 26300 1
ppdev 16782 0
lp 17074 0
parport 35749 3 lp,ppdev,parport_pc
autofs4 35529 3
ext4 481990 3
crc16 12343 2 ext4,bluetooth
mbcache 17171 1 ext4
jbd2 82514 1 ext4
algif_skcipher 17349 0
af_alg 13034 1 algif_skcipher
dm_crypt 22595 1
dm_mod 89405 9 dm_crypt
md_mod 107672 0
tifm_7xx1 12881 0
tifm_sd 17228 0
tifm_core 13321 2 tifm_7xx1,tifm_sd
mmc_block 35031 0
vfat 17135 0
fat 61986 1 vfat
nls_cp437 16553 0
nls_utf8 12456 0
uhci_hcd 43499 0
sg 29973 0
sd_mod 44356 5
crc_t10dif 12431 1 sd_mod
sr_mod 21903 0
crct10dif_generic 12581 0
cdrom 47424 1 sr_mod
usb_storage 56215 1
crct10dif_pclmul 13387 1
crct10dif_common 12356 3 crct10dif_pclmul,crct10dif_generic,crc_t10dif
crc32_pclmul 12915 0
crc32c_intel 21809 0
aesni_intel 151423 3
aes_x86_64 16719 1 aesni_intel
lrw 12757 1 aesni_intel
gf128mul 12970 1 lrw
glue_helper 12695 1 aesni_intel
ablk_helper 12572 1 aesni_intel
cryptd 14516 3 aesni_intel,ablk_helper
ahci 33334 2
libahci 27158 1 ahci
psmouse 99249 0
libata 177508 2 ahci,libahci
scsi_mod 191405 5 sg,usb_storage,libata,sd_mod,sr_mod
sdhci_pci 22097 0
sdhci 35161 1 sdhci_pci
mmc_core 102374 4 mmc_block,sdhci,tifm_sd,sdhci_pci
firewire_ohci 39523 0
firewire_core 56665 1 firewire_ohci
crc_itu_t 12347 1 firewire_core
ehci_pci 12512 0
ehci_hcd 69837 1 ehci_pci
usbcore 195468 5 btusb,uhci_hcd,usb_storage,ehci_hcd,ehci_pci
usb_common 12440 1 usbcore
e1000e 212128 0
ptp 17692 1 e1000e
pps_core 17225 1 ptp
thermal 17559 0
thermal_sys 27642 5 video,intel_powerclamp,thermal,processor,x86_pkg_temp_thermal
-- System Information:
Debian Release: 8.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.6-5
ii debconf [debconf-2.0] 1.5.56
ii dmsetup 2:1.02.90-2.2+deb8u1
ii libc6 2.19-18+deb8u9
Versions of packages cryptsetup recommends:
ii busybox 1:1.22.0-9+deb8u1
ii console-setup 1.123
ii initramfs-tools [linux-initramfs-tool] 0.120+deb8u3
ii kbd 1.15.5-2
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.27-1
pn keyutils <none>
ii liblocale-gettext-perl 1.05-8+b1
-- debconf information excluded
More information about the pkg-cryptsetup-devel
mailing list