Your message dated Mon, 20 Jul 2009 02:35:08 +0200
with message-id <[email protected]>
and subject line requested features have been added with passdev keyscript
(2:1.0.6-2)
has caused the Debian Bug report #471727,
regarding cryptsetup: out-of-the-box support for using an USB stick as a key
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
471727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup
Version: 2:1.0.6~pre1+svn45-1
Severity: wishlist
I'd like to be able to use a small USB stick as a physical "key" to my
system. There are various mini-HOWTOs and keyscripts floating around
that describe people's custom implementations of this but I think
having this as a supported feature in Debian would be better than a
bunch of custom solutions.
The following functionality would be needed:
1) A small tool that prepares an USB stick (or other removable media)
to be used as the "key". There's of course various ways to put the key
onto the media, at the moment I'm favouring
- wipe the stick using badblocks -w -t random or dd if=/dev/urandom
- make a filesystem on the stick, possibly on a partition if it is
customary to partition them. This would probably be VFAT. The
partition / filesystem should be *slightly smaller* than the media,
leaving a few bytes of space, probably at the end.
- put an UUID / magic number at the start of the free space
- create the key(s) by dd-ing it / them directly from /dev/random to the free
space on the media at intervals.
- add this key as a luks key.
2) A keyscript that looks for the UUID / magic number on candidate
media and reads the appropriate key. The key field in /etc/crypttab
that's passed as the parameter would be of the form 'UUID:keynumber'.
The keyscript should fallback to passphrase input on console when the
correct key is not found. That adds a safety net for lost USB key IF
you have a passphrase key defined as well.
I realize this scheme is rather elaborate, I'd settle for a documented
and shipped-by-default keyscript that can mount partitions by
(filesystem) UUID and read the key from there.
Regards,
C.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.24-3 The Linux Kernel Device Mapper use
ii libc6 2.7-6 GNU C Library: Shared libraries
ii libdevmapper1.02.1 2:1.02.24-3 The Linux Kernel Device Mapper use
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libuuid1 1.40.6-1 universally unique id library
cryptsetup recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:1.0.6-2
Hello,
The features that had been requested in the bugreport were added to the
cryptsetup package with the inclusion of the passdev keyscript.
greetings,
jonas
--- End Message ---