Harald Braumann wrote: Hallo Harald, > cryptsetup should support decrypting multiple volumes with the same passphrase > and only prompt for it once. > > Attached is a script which can be used as a `keyscript'. It prompts for the > passphrase and stores it in a key ring for a short amount of time using > Linux' > key retention facility. Further passphrase requests are satisfied from the > stored value without prompting again.
Your attachment seems to be missing. Though i've written a similar script some time ago and just fixed a few things up. The script can be found on github with additional Dokumentation: http://github.com/gebi/keyctl_keyscript/blob/master/keyctl_keyscript http://github.com/gebi/keyctl_keyscript > This works quite well, however there are a view problems: > - only works on Linux no problem, as dm-crypt is linux only > - the passphrase is stored for some time and might be exposed (at least > root can dump the stored passphrase) root can get the passphrase anyway. > - the passphrase is piped between processes and might end up in > unsecure memory and be written to swap This is not nice, ack! Though it's not that smart to have crypto filesystems without crypted swap. > A better approach would be to add support for this functionality to > cryptsetup. > Cryptsetup could then decrypt all volumes that belong to the same group at > once > and there would be no need to retain the passphrase. I'm not sure, if there > would > be problems if the root volume is part of such a group, because then all the > volumes would have to be decrypted at the time the root volume is decrypted, > which > happens very early in the boot process. At least a option to get cryptsetup to cache the passphrase in a specific keyring would be nice, and _only_ cache it if the passphrase was correct. This would also remove the problem with passphrase piping and possible ending in unsecure memory. michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org