--- Begin Message ---
Package: cryptsetup
Version: 2:1.4.3-4
Severity: wishlist
I have a laptop with two physical storage devices: an HDD (/dev/sda) and an SSD
(/dev/sdb). I wish to use /dev/sda1 as my root partition and /dev/sdb1 as my
swap partition (to which I will hibernate). I also want these devices to be
crypted. This requires that I maintain two different crypt devices; LVM can't
be used to solve this problem.
I have both devices encrypted using the same passphrase. Currently, I must
enter that passphrase twice at boot time. I would like the ability to enter my
passphrase once and have the bootup scripts try that passphrase with each
crypted disk; I should only be prompted for a passphrase again if the one I
provided failed to unlock at least one of the remaining disks. This
functionality will be useful on any system that wants crypted root and swap on
different physical devices.
As a sort of workaround, I am including two files which I have placed in my
/etc/initramfs-tools/hooks directory. These files patch the existing
cryptsetup initramfs script when the initramfs is updated. These files are
*not* perfect; they capture the passphrase in an environment variable which,
among other things, means that non-interactive passphrases containing null
characters would be misrepresented. I don't intend this workaround to be a
permanent fix; I'm just hoping someone else gets some use out of it. :)
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-4-686-pae root=/dev/mapper/vg0-root ro quiet
-- /etc/crypttab
sda7_crypt UUID=b56e8430-2594-436a-9fba-b91617cdaa5e none luks
sdb2_crypt UUID=9854a64a-0167-4299-aa4e-9a4639c99421 /etc/z_fastswap_key luks
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/vg0/root / ext3 errors=remount-ro 0 1
/dev/vg0/backup /backups ext3 defaults 0 2
UUID=2c178245-be2c-42f8-a1f3-e1057f68d506 /boot ext3 defaults
0 2
/dev/vg0/home /home ext3 defaults 0 2
/dev/vg0/swap none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdc1 /media/usb0 auto rw,user,noauto 0 0
-- lsmod
Module Size Used by
ip6table_filter 12492 0
ip6_tables 17185 1 ip6table_filter
iptable_filter 12488 0
ip_tables 17079 1 iptable_filter
ebtable_nat 12516 0
ebtables 17088 1 ebtable_nat
x_tables 18121 5
ebtables,ip_tables,iptable_filter,ip6_tables,ip6table_filter
parport_pc 22036 0
ppdev 12651 0
lp 12797 0
parport 31254 3 lp,ppdev,parport_pc
bnep 17288 2
rfcomm 28626 8
binfmt_misc 12813 1
uinput 12991 1
nfsd 173714 2
nfs 265811 0
nfs_acl 12463 2 nfs,nfsd
auth_rpcgss 32143 2 nfs,nfsd
fscache 31978 1 nfs
lockd 57255 2 nfs,nfsd
sunrpc 143961 6 lockd,auth_rpcgss,nfs_acl,nfs,nfsd
loop 17810 0
sha256_generic 16709 2
cbc 12666 8
kvm_intel 112329 3
kvm 238951 1 kvm_intel
uvcvideo 56896 0
rts5139 176882 0
videodev 61658 1 uvcvideo
media 13692 2 videodev,uvcvideo
snd_hda_codec_hdmi 26319 1
snd_hda_codec_idt 44792 1
arc4 12418 2
i915 312053 4
nouveau 493727 0
mxm_wmi 12433 1 nouveau
ttm 42997 1 nouveau
i2c_i801 12670 0
drm_kms_helper 22699 2 nouveau,i915
snd_hda_intel 21856 3
drm 134178 7 drm_kms_helper,ttm,nouveau,i915
iwlwifi 146769 0
snd_hda_codec 63477 3
snd_hda_intel,snd_hda_codec_idt,snd_hda_codec_hdmi
snd_hwdep 12943 1 snd_hda_codec
btusb 17278 2
snd_pcm 53390 4 snd_hda_codec,snd_hda_intel,snd_hda_codec_hdmi
psmouse 54927 0
coretemp 12770 0
mac80211 171359 1 iwlwifi
acpi_cpufreq 12807 0
mperf 12421 1 acpi_cpufreq
i2c_algo_bit 12713 2 nouveau,i915
iTCO_wdt 16945 0
i2c_core 19116 7
i2c_algo_bit,drm,drm_kms_helper,i2c_i801,nouveau,i915,videodev
snd_page_alloc 12867 2 snd_pcm,snd_hda_intel
iTCO_vendor_support 12632 1 iTCO_wdt
bluetooth 103750 23 btusb,rfcomm,bnep
cfg80211 117499 2 mac80211,iwlwifi
serio_raw 12803 0
snd_seq 39487 0
snd_seq_device 13016 1 snd_seq
snd_timer 22356 2 snd_seq,snd_pcm
snd 42691 14
snd_timer,snd_seq_device,snd_seq,snd_pcm,snd_hwdep,snd_hda_codec,snd_hda_intel,snd_hda_codec_idt,snd_hda_codec_hdmi
soundcore 12921 1 snd
dell_laptop 16976 0
crc16 12327 1 bluetooth
video 17412 2 nouveau,i915
processor 27565 9 acpi_cpufreq
button 12817 2 nouveau,i915
dell_wmi 12437 0
rfkill 18516 4 dell_laptop,cfg80211,bluetooth
battery 12957 0
ac 12552 0
power_supply 13283 3 ac,battery,dell_laptop
dcdbas 13080 1 dell_laptop
pcspkr 12515 0
sparse_keymap 12680 1 dell_wmi
wmi 13051 2 dell_wmi,mxm_wmi
evdev 17225 24
ext3 138190 4
mbcache 12897 1 ext3
jbd 47281 1 ext3
cryptd 14125 0
aes_i586 16608 32
aes_generic 32970 1 aes_i586
xts 12557 8
gf128mul 12922 1 xts
dm_crypt 18039 2
dm_mod 57362 19 dm_crypt
sr_mod 17468 0
sg 21476 0
cdrom 34813 1 sr_mod
sd_mod 35425 5
crc_t10dif 12332 1 sd_mod
usbhid 31523 0
hid 60116 1 usbhid
ahci 20821 3
libahci 18308 1 ahci
libata 124981 2 libahci,ahci
crc32c_intel 12659 0
scsi_mod 134998 5 libata,sd_mod,sg,sr_mod,rts5139
r8169 41802 0
mii 12595 1 r8169
ehci_hcd 35509 0
thermal 13103 0
thermal_sys 17752 3 thermal,processor,video
xhci_hcd 67877 0
usbcore 104470 7 xhci_hcd,ehci_hcd,usbhid,btusb,rts5139,uvcvideo
usb_common 12338 1 usbcore
-- System Information:
Debian Release: wheezy/sid
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.4.3-4
ii debconf [debconf-2.0] 1.5.46
ii dmsetup 2:1.02.74-4
ii libc6 2.13-35
Versions of packages cryptsetup recommends:
ii busybox 1:1.20.0-7
ii console-setup 1.87
ii initramfs-tools [linux-initramfs-tool] 0.109
ii kbd 1.15.3-9
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.13-1
ii liblocale-gettext-perl 1.05-7+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
#!/bin/bash
# This script patches the cryptroot script from initramfs-tools to allow a
# passphrase given by a user to be used on each crypted device until it fails.
# This allows, for instance, a machine with crypted root and swap on different
# devices (such as physical drives) to be unlocked by entering only one
# passphrase.
#
# The patch embedded below was created using as a basis the cryptroot script
# in cryptsetup version 2:1.4.3-4 for i386.
# -----------------------------------------------------------------------------
# *** Begin stadndard initramfs-tools hook header
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# *** End stadndard initramfs-tools hook header
# Set target file to patch
target="$DESTDIR/scripts/local-top/cryptroot"
# Set patch file
patchfile="$CONFDIR/hooks/patch-cryptroot-to-reuse-passphrases.patch"
# Ensure that the destination exists
if [ ! -x "$DESTDIR/scripts/local-top/cryptroot" ]; then
echo "Warning: cryptroot script not found. Is cryptsetup installed? (Skipping patch.)"
exit 0
fi
# Do the patching
patch -s -f "$target" "$patchfile"; ec="$?"
if [ "$ec" -ne 0 ]; then
echo "Error: patching cryptroot failed with exit code $ec; aborting."
exit 1
fi
--- cryptroot.old
+++ cryptroot.new
@@ -277,11 +277,25 @@
fi
fi
+ if [ ! -e "$NEWROOT" ]; then
+ # If we've already seen a phrase, try it first
+ if [ -n "$passphrase" ]; then
+ echo "Trying previously-entered passphrase..."
+ crypttarget="$crypttarget" cryptsource="$cryptsource" echo -n "$passphrase" | $cryptcreate --key-file=-
+ ec="$?"
+ if [ "$ec" -eq 0 ]; then
+ echo "Succeeded with previous passphrase."
+ else
+ echo "Failed with previous passphrase; continuing to passphrase input script."
+ fi
+ fi
+ fi
if [ ! -e "$NEWROOT" ]; then
- if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
- $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
+ passphrase="$(crypttarget="$crypttarget" cryptsource="$cryptsource" $cryptkeyscript "$cryptkey")"
+ if ! crypttarget="$crypttarget" cryptsource="$cryptsource" echo -n "$passphrase" | $cryptcreate --key-file=- ; then
message "cryptsetup: cryptsetup failed, bad password or options?"
+ passphrase=''
continue
fi
fi
--- End Message ---
--- Begin Message ---
Hello,
Am 25.11.2012 18:32, schrieb [email protected]:
I have a laptop with two physical storage devices: an HDD (/dev/sda)
and an SSD (/dev/sdb). I wish to use /dev/sda1 as my root partition
and /dev/sdb1 as my swap partition (to which I will hibernate). I
also want these devices to be crypted. This requires that I maintain
two different crypt devices; LVM can't be used to solve this problem.
I have both devices encrypted using the same passphrase. Currently,
I must enter that passphrase twice at boot time. I would like the
ability to enter my passphrase once and have the bootup scripts try
that passphrase with each crypted disk; I should only be prompted for
a passphrase again if the one I provided failed to unlock at least
one
of the remaining disks. This functionality will be useful on any
system that wants crypted root and swap on different physical
devices.
You should take a look at the keyscripts that are shipped with
cryptsetup.
In particular the keyscripts decrypt_derived and decrypt_keyctl both
serve
exact the purpose you're searching for. decrypt_derived is documented
in
/usr/share/doc/cryptsetup/README.initramfs.gz (paragraph 9), decrypt_
keyctl has its own README file at
/usr/share/doc/cryptsetup/README.keyctl.
As a sort of workaround, I am including two files which I have placed
in my /etc/initramfs-tools/hooks directory. These files patch the
existing cryptsetup initramfs script when the initramfs is updated.
These files are *not* perfect; they capture the passphrase in an
environment variable which, among other things, means that
non-interactive passphrases containing null characters would be
misrepresented. I don't intend this workaround to be a permanent
fix;
I'm just hoping someone else gets some use out of it. :)
Kind Regards,
jonas
--- End Message ---
