Hi, currently I am writing a script to automount encrypted vnconfig partitions (using hotplugd) when I insert an USB stick. The saltfile is on the USB stick, so basically there is no need to manually enter the encryption key if only I got access to the USB stick.
To be able to do that I need to supply the encryption key to vnconfig in some way, so I added the -p option. Normally this wouldn't be a good idea, but in cases like mine the security issues should be minimal to zero, especially since -p only works when also using -K and -S. What do you think? Index: mount_vnd.8 =================================================================== RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.8,v retrieving revision 1.13 diff -u -r1.13 mount_vnd.8 --- mount_vnd.8 26 May 2008 21:14:46 -0000 1.13 +++ mount_vnd.8 28 Jun 2008 21:23:33 -0000 @@ -60,8 +60,15 @@ .Nm mount_vnd .Bk -words .Op Fl k +.Op Fl o Ar options +.Ar image +.Ar vnd_dev +.Ek +.Nm mount_vnd +.Bk -words .Op Fl K Ar rounds .Op Fl o Ar options +.Op Fl p Ar pass .Op Fl S Ar saltfile .Ar image .Ar vnd_dev @@ -70,6 +77,7 @@ .Bk -words .Op Fl ckluv .Op Fl K Ar rounds +.Op Fl p Ar pass .Op Fl S Ar saltfile .Ar vnd_dev .Ar image @@ -162,10 +170,11 @@ The user is asked for both a passphrase and the name of a salt file. The salt file can also be specified on the command line using the .Fl S +option. The passphrase can be specified using the +.Fl p option. -The passphrase and salt are combined according to PKCS #5 PBKDF2 for the -specified number of -rounds to generate the actual key used. +The passphrase and salt are combined according to PKCS #5 PBKDF2 +for the specified number of rounds to generate the actual key used. .Ar rounds is a number between 1000 and .Dv INT_MAX . @@ -199,6 +208,13 @@ .Fl o is only here for compatibility reasons, but no use is made of supplied options. +.It Fl p Ar pass +When +.Fl K +is used, use this passphrase as the encryption key. Can be used to +automount encrypted partitions when inserting an USB stick, if +.Xr hotplugd 8 +is configured properly. .It Fl S Ar saltfile When .Fl K Index: mount_vnd.c =================================================================== RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v retrieving revision 1.5 diff -u -r1.5 mount_vnd.c --- mount_vnd.c 14 Jun 2008 01:47:27 -0000 1.5 +++ mount_vnd.c 28 Jun 2008 21:23:33 -0000 @@ -69,13 +69,13 @@ __dead void usage(void); int config(char *, char *, int, char *, size_t); int getinfo(const char *); -char *get_pkcs_key(char *, char *); +char *get_pkcs_key(char *, char *, char *); int main(int argc, char **argv) { int ch, rv, action, opt_c, opt_k, opt_K, opt_l, opt_u; - char *key, *mntopts, *rounds, *saltopt; + char *key, *mntopts, *passopt, *rounds, *saltopt; size_t keylen = 0; extern char *__progname; @@ -83,10 +83,10 @@ run_mount_vnd = 1; opt_c = opt_k = opt_K = opt_l = opt_u = 0; - key = mntopts = rounds = saltopt = NULL; + key = mntopts = passopt = rounds = saltopt = NULL; action = VND_CONFIG; - while ((ch = getopt(argc, argv, "ckK:lo:S:uv")) != -1) { + while ((ch = getopt(argc, argv, "ckK:lo:p:S:uv")) != -1) { switch (ch) { case 'c': opt_c = 1; @@ -104,6 +104,9 @@ case 'o': mntopts = optarg; break; + case 'p': + passopt = optarg; + break; case 'S': saltopt = optarg; break; @@ -134,6 +137,9 @@ if (saltopt && (!opt_K)) errx(1, "-S only makes sense when used with -K"); + if (passopt && (!saltopt)) + errx(1, "-p only allowed when used with -K and -S"); + if (action == VND_CONFIG && argc == 2) { int ind_raw, ind_reg; @@ -144,7 +150,7 @@ if (key == NULL || (keylen = strlen(key)) == 0) errx(1, "Need an encryption key"); } else if (opt_K) { - key = get_pkcs_key(rounds, saltopt); + key = get_pkcs_key(rounds, passopt, saltopt); keylen = BLF_MAXUTILIZED; } @@ -168,7 +174,7 @@ } char * -get_pkcs_key(char *arg, char *saltopt) +get_pkcs_key(char *arg, char *passopt, char *saltopt) { char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX]; char *saltfile; @@ -179,9 +185,13 @@ rounds = strtonum(arg, 1000, INT_MAX, &errstr); if (errstr) err(1, "rounds: %s", errstr); - key = getpass("Encryption key: "); - if (!key || strlen(key) == 0) - errx(1, "Need an encryption key"); + if (!passopt || strlen(passopt) == 0) { + key = getpass("Encryption key: "); + if (!key || strlen(key) == 0) + errx(1, "Need an encryption key"); + } else { + key = passopt; + } strncpy(keybuf, key, sizeof(keybuf)); if (saltopt) saltfile = saltopt; @@ -329,12 +339,13 @@ if (run_mount_vnd) (void)fprintf(stderr, - "usage: %s [-k] [-K rounds] [-o options] " - "[-S saltfile] image vnd_dev\n", __progname); + "usage: %s -k [-o options] image vnd_dev\n" + " %s -K rounds [-o options] [-p pass] " + "[-S saltfile] image vnd_dev\n", __progname, __progname); else (void)fprintf(stderr, - "usage: %s [-ckluv] [-K rounds] [-S saltfile] vnd_dev " - "image\n", __progname); + "usage: %s [-ckluv] [-K rounds] [-p pass] [-S saltfile] " + "vnd_dev image\n", __progname); exit(1); }