Bug#350615: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys
On 02/02/2006 [EMAIL PROTECTED] wrote: > >i believe that the patch is rather ugly. it depends on openssl, and > >therefore on a mounted /usr filesystem. what to do when /usr is an > >encrypted filesystem? > > Yes, not really integrateable for generic usage. i've tagged this patch as wontfix. > Imho should not be integrated, BUT (@General Stone) > could you please take your code to the dm-crypt wiki? that would be great. > @jonas: we should make a link from our doku to the dm-crypt wiki (if > we not allreday have one ;). the wiki is mentioned in README.html but maybe it would be good to create a README.Debian with debian-related documentation, and an overview about other available documentation. > ps.: sorry for the direct mailling hehe, i already forwarded the mail to the bts, as i didn't see this mail. ... jonas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#350615: [EMAIL PROTECTED]: Re: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys]
tags 350615 +wontfix thanks - Forwarded message from [EMAIL PROTECTED] - Date: Thu, 02 Feb 2006 19:26:41 +0100 From: [EMAIL PROTECTED] Subject: Re: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys To: Jonas Meurer <[EMAIL PROTECTED]> Quoting Jonas Meurer <[EMAIL PROTECTED]>: >i believe that the patch is rather ugly. it depends on openssl, and >therefore on a mounted /usr filesystem. what to do when /usr is an >encrypted filesystem? Yes, not really integrateable for generic usage. >gebi, what do you think about it? Imho should not be integrated, BUT (@General Stone) could you please take your code to the dm-crypt wiki? @jonas: we should make a link from our doku to the dm-crypt wiki (if we not allreday have one ;). greets, Michael Gebetsroither - End forwarded message - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#350615: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys
Quoting Jonas Meurer <[EMAIL PROTECTED]>: i believe that the patch is rather ugly. it depends on openssl, and therefore on a mounted /usr filesystem. what to do when /usr is an encrypted filesystem? Yes, not really integrateable for generic usage. gebi, what do you think about it? Imho should not be integrated, BUT (@General Stone) could you please take your code to the dm-crypt wiki? @jonas: we should make a link from our doku to the dm-crypt wiki (if we not allreday have one ;). ps.: sorry for the direct mailling greets, Michael Gebetsroither -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#350615: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys
On 30/01/2006 General Stone wrote: > In the attachment is a patch and a tool. i believe that the patch is rather ugly. it depends on openssl, and therefore on a mounted /usr filesystem. what to do when /usr is an encrypted filesystem? > The patch include support to use encrypted ssl-key/s at the boot-up > process. The modificated initscript will them ask for a password and > decrypt it in a defined $PATH which is mounted as a tmpfs. If there are > more keys with the same encrypted password, the initscript want to ask > once. I don't understand the aim of this patch. why do you want to use encrypted keys for disk encryption? if this is really wanted, it should be implemented in cryptsetup itself, without the need for openssl. and the implementation should be cleaner, with support for keys on removable devices, etc. > The other modification is from the /etc/init.d/lvm-common script. > It changes the usermod in /dev/mapper/. i don't know whether i like this idea. i believe that ownership configuration should be either done in cryptsetup directly, or at least in /etc/crypttab. in any case, /etc/default/cryptdisks is the wrong place for it. > The tool create a double encrypted key with 'openssl' for use with the > cryptsetup initscript. i'm not sure how to think about this idea. i'dd like to wait for mount dm-crypt support (see bugreport #290324) and then discuss this feature with the cryptsetup upstream authors. gebi, what do you think about it? ... jonas signature.asc Description: Digital signature
Bug#350615: Add support for encrypted ssl-keys
Package: cryptsetup Version: 20050111-4 Severity: wishlist In the attachment is a patch and a tool. The patch include support to use encrypted ssl-key/s at the boot-up process. The modificated initscript will them ask for a password and decrypt it in a defined $PATH which is mounted as a tmpfs. If there are more keys with the same encrypted password, the initscript want to ask once. The other modification is from the /etc/init.d/lvm-common script. It changes the usermod in /dev/mapper/. The tool create a double encrypted key with 'openssl' for use with the cryptsetup initscript. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ diff -ruN old/etc/default/cryptdisks new/etc/default/cryptdisks --- old/etc/default/cryptdisks 2005-11-15 00:12:49.0 +0100 +++ new/etc/default/cryptdisks 2006-01-22 21:53:45.0 +0100 @@ -1,2 +1,21 @@ # Run cryptdisks at startup ? CRYPTDISKS_ENABLE=Yes + +# Path where the keys are. +SRCPATH=/etc/disk-keys + +# Path for the keys which are declared in /etc/crypttab. +DSTPATH=/tmp + +# Keys to use +#KEYS="backups.key home.key var.key" + +# The format of /dev/mapper/ is +# MODE_=": " +# +# eg: +# +# MODE_cswap="root:disk 660" +# +# Sets the protection of /dev/mapper/cswap to 0660 and makes it owned by user +# "root" and group "disk". diff -ruN old/etc/init.d/cryptdisks new/etc/init.d/cryptdisks --- old/etc/init.d/cryptdisks 2005-11-15 00:12:49.0 +0100 +++ new/etc/init.d/cryptdisks 2006-01-30 18:51:59.0 +0100 @@ -12,6 +12,10 @@ # Default-Start: S # Default-Stop: 0 6 ### END INIT INFO +# +# Modified by Markus Nass <[EMAIL PROTECTED]> +# to use double encrypted key/s by 'openssl'. +# CRYPTCMD=/sbin/cryptsetup DEVMAPCMD=/sbin/dmsetup @@ -32,8 +36,52 @@ $DEVMAPCMD mknodes +decrypt() { + OLDUMASK=`umask` + umask 0077 + + for KEY in $KEYS; do + while ( ! openssl enc -aes256 -d -salt -in $SRCPATH/$KEY \ + -out $DSTPATH/$KEY.tmp -k $PASSWORD > /dev/null 2>&1 ); do + echo -n "Password of '$SRCPATH/$KEY': " + read -s PASSWORD; echo + + if [ "$PASSWORD" = "" ]; then + return 0 + fi + done + + while ( ! openssl dsa -in $DSTPATH/$KEY.tmp -out $DSTPATH/$KEY \ + -passin pass:$PASSWORD > /dev/null 2>&1 ); do + echo -n "Password of '$DSTPATH/$KEY.tmp': " + read -s PASSWORD; echo + + if [ "$PASSWORD" = "" ]; then + return 0 + fi + done + done + + rm -f $DSTPATH/*.key.tmp + PASSWORD="" + umask $OLDUMASK +} + case "$1" in start) + if [ ! "$KEYS" = "" ]; then + # Important to decrypt the disk-keys. + if [ "$(grep -c "\/usr" /etc/fstab)" = "1" ] && \ + [ "$(grep -c "\/usr" /etc/mtab)" = "0" ]; then + mount /usr + touch /mounted + fi + + mount -t tmpfs tmpfs $DSTPATH > /dev/null 2>&1 + + test -f /usr/bin/openssl && decrypt + fi + echo -n "Starting crypto disks:" egrep -v "^[[:space:]]*(#|$)" $TABFILE | while read dst src key opt; do echo -n " $dst" @@ -161,6 +209,29 @@ fi fi done + + for MODEVAR in ${!MODE_*}; do + eval MODE=\$$MODEVAR + DEV=${MODEVAR//_/-} + DEV="/dev/mapper/${DEV#MODE-}" + MOD=${MODE#* } + OWN=${MODE% *} + chmod $MOD $DEV + chown $OWN $DEV + done + + for KEY in $KEYS; do + rm -f $DSTPATH/$KEY + done + + umount -f $DSTPATH > /dev/null 2>&1 + + # Important to check and repair the file system. + if [ -f /mounted ]; then + umount -f /usr + rm -f /mounted + fi + echo "." ;; stop) createkey.gz Description: Binary data signature.asc Description: Digital signature