Hi,
currently I am writing a script to automount encrypted vnconfig partitions
(using hotplugd) when I insert an USB stick. The saltfile is on the USB stick,
so basically there is no need to manually enter the encryption key if only I
got access to the USB stick.
To be able to do that I need to supply the encryption key to vnconfig in some
way, so I added the -p option.
Normally this wouldn't be a good idea, but in cases like mine the security
issues should be minimal to zero, especially since -p only works when also
using -K and -S.
What do you think?
Index: mount_vnd.8
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.8,v
retrieving revision 1.13
diff -u -r1.13 mount_vnd.8
--- mount_vnd.8 26 May 2008 21:14:46 -0000 1.13
+++ mount_vnd.8 28 Jun 2008 21:23:33 -0000
@@ -60,8 +60,15 @@
.Nm mount_vnd
.Bk -words
.Op Fl k
+.Op Fl o Ar options
+.Ar image
+.Ar vnd_dev
+.Ek
+.Nm mount_vnd
+.Bk -words
.Op Fl K Ar rounds
.Op Fl o Ar options
+.Op Fl p Ar pass
.Op Fl S Ar saltfile
.Ar image
.Ar vnd_dev
@@ -70,6 +77,7 @@
.Bk -words
.Op Fl ckluv
.Op Fl K Ar rounds
+.Op Fl p Ar pass
.Op Fl S Ar saltfile
.Ar vnd_dev
.Ar image
@@ -162,10 +170,11 @@
The user is asked for both a passphrase and the name of a salt file.
The salt file can also be specified on the command line using the
.Fl S
+option. The passphrase can be specified using the
+.Fl p
option.
-The passphrase and salt are combined according to PKCS #5 PBKDF2 for the
-specified number of
-rounds to generate the actual key used.
+The passphrase and salt are combined according to PKCS #5 PBKDF2
+for the specified number of rounds to generate the actual key used.
.Ar rounds
is a number between 1000 and
.Dv INT_MAX .
@@ -199,6 +208,13 @@
.Fl o
is only here for compatibility reasons, but no use is made of supplied
options.
+.It Fl p Ar pass
+When
+.Fl K
+is used, use this passphrase as the encryption key. Can be used to
+automount encrypted partitions when inserting an USB stick, if
+.Xr hotplugd 8
+is configured properly.
.It Fl S Ar saltfile
When
.Fl K
Index: mount_vnd.c
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v
retrieving revision 1.5
diff -u -r1.5 mount_vnd.c
--- mount_vnd.c 14 Jun 2008 01:47:27 -0000 1.5
+++ mount_vnd.c 28 Jun 2008 21:23:33 -0000
@@ -69,13 +69,13 @@
__dead void usage(void);
int config(char *, char *, int, char *, size_t);
int getinfo(const char *);
-char *get_pkcs_key(char *, char *);
+char *get_pkcs_key(char *, char *, char *);
int
main(int argc, char **argv)
{
int ch, rv, action, opt_c, opt_k, opt_K, opt_l, opt_u;
- char *key, *mntopts, *rounds, *saltopt;
+ char *key, *mntopts, *passopt, *rounds, *saltopt;
size_t keylen = 0;
extern char *__progname;
@@ -83,10 +83,10 @@
run_mount_vnd = 1;
opt_c = opt_k = opt_K = opt_l = opt_u = 0;
- key = mntopts = rounds = saltopt = NULL;
+ key = mntopts = passopt = rounds = saltopt = NULL;
action = VND_CONFIG;
- while ((ch = getopt(argc, argv, "ckK:lo:S:uv")) != -1) {
+ while ((ch = getopt(argc, argv, "ckK:lo:p:S:uv")) != -1) {
switch (ch) {
case 'c':
opt_c = 1;
@@ -104,6 +104,9 @@
case 'o':
mntopts = optarg;
break;
+ case 'p':
+ passopt = optarg;
+ break;
case 'S':
saltopt = optarg;
break;
@@ -134,6 +137,9 @@
if (saltopt && (!opt_K))
errx(1, "-S only makes sense when used with -K");
+ if (passopt && (!saltopt))
+ errx(1, "-p only allowed when used with -K and -S");
+
if (action == VND_CONFIG && argc == 2) {
int ind_raw, ind_reg;
@@ -144,7 +150,7 @@
if (key == NULL || (keylen = strlen(key)) == 0)
errx(1, "Need an encryption key");
} else if (opt_K) {
- key = get_pkcs_key(rounds, saltopt);
+ key = get_pkcs_key(rounds, passopt, saltopt);
keylen = BLF_MAXUTILIZED;
}
@@ -168,7 +174,7 @@
}
char *
-get_pkcs_key(char *arg, char *saltopt)
+get_pkcs_key(char *arg, char *passopt, char *saltopt)
{
char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX];
char *saltfile;
@@ -179,9 +185,13 @@
rounds = strtonum(arg, 1000, INT_MAX, &errstr);
if (errstr)
err(1, "rounds: %s", errstr);
- key = getpass("Encryption key: ");
- if (!key || strlen(key) == 0)
- errx(1, "Need an encryption key");
+ if (!passopt || strlen(passopt) == 0) {
+ key = getpass("Encryption key: ");
+ if (!key || strlen(key) == 0)
+ errx(1, "Need an encryption key");
+ } else {
+ key = passopt;
+ }
strncpy(keybuf, key, sizeof(keybuf));
if (saltopt)
saltfile = saltopt;
@@ -329,12 +339,13 @@
if (run_mount_vnd)
(void)fprintf(stderr,
- "usage: %s [-k] [-K rounds] [-o options] "
- "[-S saltfile] image vnd_dev\n", __progname);
+ "usage: %s -k [-o options] image vnd_dev\n"
+ " %s -K rounds [-o options] [-p pass] "
+ "[-S saltfile] image vnd_dev\n", __progname, __progname);
else
(void)fprintf(stderr,
- "usage: %s [-ckluv] [-K rounds] [-S saltfile] vnd_dev "
- "image\n", __progname);
+ "usage: %s [-ckluv] [-K rounds] [-p pass] [-S saltfile] "
+ "vnd_dev image\n", __progname);
exit(1);
}
