Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
Many LUKS partitionsHi, I have more than one encrypted partition (using dm-crypt), and so, at Is there a way to set a sort of master passphrase so that I'll only Another question: is there a way to use a USB pendrive to store the Thank you. -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
Many LUKS partitions
body { font-family: 'Times New Roman'; font-size: 10pt; color: #000000}Hi Salvatore,The easiest way I have found to do this is to create a partition which you open with a passphrase that contains the key files for the other partitions...Then set the other partitions up to open on said key files. In fact, if you set it up right, you should be able to have the key partiton only open during boot and therefore not user accessible at any time.----- Original Message -----From: "Salvatore Iovene" <salvatore@iovene.com>To: : Monday, April 30, 2007 7:01:56 AM (GMT-0500) America/New_YorkSubject: Many LUKS partitionsHi,I have more than one encrypted partition (using dm-crypt), and so, atboot time, I'm propted for all of their passphrases.Is there a way to set a sort of master passphrase so that I'll onlyinput it once?Another question: is there a way to use a USB pendrive to store theinformation needed to LUKS to decrypt the partitions? (so that Iwouldn't have to fill in any password, just plug the USB pendrive)Thank you.-- Salvatore Iovenehttp://www.iovene.com
Many LUKS partitions
Salvatore Iovene () wrote:
> I have more than one encrypted partition (using dm-crypt), and so, at
> boot time, I'm propted for all of their passphrases.
>
> Is there a way to set a sort of master passphrase so that I'll only
> input it once?
Yes and no. What you can do:
- Create one big partition, and encrypt it. Build an LVM on that
partition and divide it as you want. That way you will only need one
password, which unlocks the big partition that holds the LVM.
- Store keyfiles on the first encrypted partition. Enter the password
for that partition, tell cryptsetup that this partition needs to be
mounted for the other ones to be accessed.
> Another question: is there a way to use a USB pendrive to store the
> information needed to LUKS to decrypt the partitions? (so that I
> wouldn't have to fill in any password, just plug the USB pendrive)
Yes, there is. For any partition *except* the root partition, you need
to make the following changes:
- add the key to the luks-Partitions using cryptsetup luksAddKey
- make an entry for your stick in your fstab, e.g. /media/key
- copy the keyfile to the stick, e.g. to /media/key/keyfile
- change your crypttab to use the keyfile, e.g.
usr-crypt /dev/hda7 /media/key/keyfile luks
- change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include your
USB stick, e.g. CRYPTDISKS_MOUNT="/media/key"
- rebuild your initrd using update-initramfs -u
As far as I know using a key on an USB stick for your root partition is
a little more complicated. I needed to make the following extra
changes:
- change /etc/initramfs-tools/modules to make sure initramfs includes
the necessary modules for the fat file system and codepages (not needed
if you use ext2 as the file system on your stick, usb mass storage and
scsi disk support were included by default)
I hat to add the following lines:
nls_cp437
nls_iso8859_1
vfat
- write a keyscript that takes care of mounting the stick, gets the key
file, writes it to stdout and unmounts the stick. The script I use is
this one:
#!/bin/sh
modprobe usb-storage #load usb mass storage driver
sleep 5 #wait for recognized devices to settle
mkdir /keydev 1>&2
mount -t vfat -o ro,umask=077 /dev/sda1 /keydev 1>&2
cat /keydev/key
umount /keydev 1>&2
Note that all normal output is redirected to stderr so it doesn't get
mixed up with the key file.
- save the keyscript to /sbin and change the crypttab entry for my root
partition:
root_crypt /dev/hda6 none luks,keyscript=/sbin/keyscript
Note that using /sbin is not required, you can save the keyscript
anywhere you like and adapt your crypttap accordingly.
- rebuild the initrd using update-initramfs -u. It will include your
keyscript automatically, no need to copy anything on your own.
That's it. Another thing you should keep in mind when changing crypto
settings for your root partition: when you do something wrong and
rebuild the initrd, after rebooting you won't be able to mount the root
partition anymore, except with the help of some external Linux system,
e.g. from a live CD like grml or knoppix. Keep a backup of your initrd
with the settings still using passwords and add an entry for it to your
boot loader configuration - that way as long as you are not sure that
everything works you can still boot into your system using your
passwords. Took me more that an hour of rebooting grml, cryptsetupping,
mounting, chrooting my root fs and rebuilding initrds until I had the
idea to do it another way.
regards
Andreas Janssen
--
Andreas Janssen
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html
--
Many LUKS partitions
On Mon, 30 Apr 2007 15:14:44 +0200 Andreas Janssen
wrote:
> - add the key to the luks-Partitions using cryptsetup luksAddKey
> - make an entry for your stick in your fstab, e.g. /media/key
> - copy the keyfile to the stick, e.g. to /media/key/keyfile
> - change your crypttab to use the keyfile, e.g.
> usr-crypt /dev/hda7 /media/key/keyfile luks
> - change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include your
> USB stick, e.g. CRYPTDISKS_MOUNT="/media/key"
> - rebuild your initrd using update-initramfs -u
Hi, thanks a lot, that worked very well. Just a note: the entry for the
usb stick in fstab has to have the following options:
uid=0,gid=0,umask=277.
Thanks again.
--
Salvatore Iovene
http://www.iovene.com
--
Many LUKS partitions
On Mon, 30 Apr 2007 18:22:48 +0300 Salvatore Iovene
wrote:
> On Mon, 30 Apr 2007 15:14:44 +0200 Andreas Janssen
> wrote:
>
> > - add the key to the luks-Partitions using cryptsetup luksAddKey
> > - make an entry for your stick in your fstab, e.g. /media/key
> > - copy the keyfile to the stick, e.g. to /media/key/keyfile
> > - change your crypttab to use the keyfile, e.g.
> > usr-crypt /dev/hda7 /media/key/keyfile luks
> > - change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include
> > your USB stick, e.g. CRYPTDISKS_MOUNT="/media/key"
> > - rebuild your initrd using update-initramfs -u
>
> Hi, thanks a lot, that worked very well. Just a note: the entry for
> the usb stick in fstab has to have the following options:
> uid=0,gid=0,umask=277.
By the way, could you explain to me why the update-initramfs -u is
needed? Thanks.
--
Salvatore Iovene
http://www.iovene.com
--
Many LUKS partitions
Salvatore Iovene () wrote:
> On Mon, 30 Apr 2007 18:22:48 +0300 Salvatore Iovene
> wrote:
>
>> On Mon, 30 Apr 2007 15:14:44 +0200 Andreas Janssen
>> wrote:
>>
>> > - add the key to the luks-Partitions using cryptsetup luksAddKey
>> > - make an entry for your stick in your fstab, e.g. /media/key
>> > - copy the keyfile to the stick, e.g. to /media/key/keyfile
>> > - change your crypttab to use the keyfile, e.g.
>> > usr-crypt /dev/hda7 /media/key/keyfile
>> > luks
>> > - change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include
>> > your USB stick, e.g. CRYPTDISKS_MOUNT="/media/key"
>> > - rebuild your initrd using update-initramfs -u
>>
>> Hi, thanks a lot, that worked very well. Just a note: the entry for
>> the usb stick in fstab has to have the following options:
>> uid=0,gid=0,umask=277.
>
> By the way, could you explain to me why the update-initramfs -u is
> needed? Thanks.
The initial ram disk is mounted first and supplies a minimal system that
is sufficient to load drivers, initialize LVM/raid/crypto devices in
order to mount your root partition. If you encrypt your root partition,
you need to update the ram disk so a new initrd is created that can set
up your encrypted root partition properly, otherwise you wouldn't be
able to mount it. You can also have it set up other encrypted
partitions, although this is not absolutely necessary.
regards
Andreas Janssen
--
Andreas Janssen
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html
--