Package: cryptsetup Version: 2:1.0.4~rc2-1 Severity: normal Tags: patch
I was trying to use SSL encrypted keys (which I could copy to a USB
stick) because GPG encrypted keys are not yet supported.
I used the script /usr/share/doc/cryptsetup/examples/gen-ssl-key to
generate a encrypted key, decrypted it and added it with luksAddKey.
Then I changed /etc/crypttab to the path of SSL encrypted key and added
the keyword ssl. But /etc/init.d/cryptdisks couldn’t activate the
partition.
Trying to find the problem I discoverd the following bugs:
1. The function decrypt_ssl is available in
/lib/cryptsetup/cryptdisks.functions as well as in
/lib/cryptsetup/scripts/decrypt_ssl. It seems, the first is used.
Both functions are different.
2. The function in /lib/cryptsetup/cryptdisks.functions begins like the
other one, but then asks for a second passphrase to decrypt the
previously decrypted key. This contradicts with gen-ssl-key which only
uses one passphrase. I’ve changed the function to only ask for one
passphrase like in /lib/cryptsetup/scripts/decrypt_ssl (see patch).
3. Neither decrypt_ssl (nor decrypt_gpg) are protecting the passphrase
against spaces by using quotation marks (see patch).
4. You are using „read -s” to read the passphrase from the command line
(silent mode), but the option -s only works with bash. If /bin/sh is
linked to dash, it doesn’t work. I had to change /etc/init./cryptdisks to
use /bin/bash instead of /bin/sh.
5. Now it works. The next step would be solving the problem how a normal
user could use cryptsetup to activiate a encrypted partition or an
encrypted removable device.
Shade and sweet water!
Stephan
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.08-1 The Linux Kernel Device Mapper use
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libdevmapper1.02 2:1.02.08-1 The Linux Kernel Device Mapper use
ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-1 library for common error values an
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libuuid1 1.39-1 universally unique id library
cryptsetup recommends no packages.
-- no debconf information
--
| Stephan Seitz E-Mail: [EMAIL PROTECTED] |
| PGP Public Keys: http://fsing.rootsland.net/~stse/pgp.html |
--- cryptdisks.functions 2006-10-01 17:56:09.000000000 +0200
+++ cryptdisks.functions.new 2006-10-01 17:58:30.000000000 +0200
@@ -175,27 +175,17 @@
decrypt_ssl () {
origumask=`umask`
umask 077
- tmpkey=`tempfile`
-
- while ( ! /usr/bin/openssl enc -aes256 -d -salt -in $key -out $tmpkey \
- -k $password > /dev/null 2>&1 ); do
- echo -en "\nSecond password for key $key: "
- read -s password <${CONSOLE:-/dev/tty}
- echo
- [ "$password" = "" ] && return 0
- done
-
deckey=`tempfile`
- while ( ! /usr/bin/openssl dsa -in $tmpkey -out $deckey -passin \
- pass:$password > /dev/null 2>&1 ); do
- echo -en "\nFirst password for key $key: "
+
+ while ( ! /usr/bin/openssl enc -aes256 -d -salt -in $key -out $deckey \
+ -k "$password" > /dev/null 2>&1 ); do
+ echo -en "\nPassword for key $key: "
read -s password <${CONSOLE:-/dev/tty}
echo
[ "$password" = "" ] && return 0
done
password=""
- rm -f $tmpkey && tmpkey=""
umask $origumask
}
signature.asc
Description: Digital signature
