From: Arno Wagner <arno@wagner.name>
To: dm-crypt mail list <dm-crypt@saout.de>
Subject: [dm-crypt] Re: Is crypttab secure to automount a partition?
Date: Tue, 23 Mar 2021 10:52:19 +0100 [thread overview]
Message-ID: <20210323095219.GB10136@tansi.org> (raw)
In-Reply-To: <CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com>
You can hardcode a passphrase in an initrd, put that on an USB key
and remove the USB after boot. (We had that as an emergency procedure
for a reboot in a DC-setup. The USB-Key was locked in a safe
tro secure it.)
Something needs to be provided, either a secret or a token, there
is no security without that.
Regards,
Arno
On Mon, Mar 22, 2021 at 17:06:01 CET, Christopher de Vidal wrote:
> That's very cool. But I get the impression from your response that
> there is no way to automount securely? E.g. at least one password entry
> is always required.
> Christopher de Vidal
> Would you consider yourself a good person? Have you ever taken the
> 'Good Person' test? It's a fascinating five minute quiz. Google it.
>
> On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R.
> <[1]robin.listas@telefonica.net> wrote:
>
> On 20/03/2021 17.43, Christopher de Vidal wrote:
> > I am a newbie with this so go gentle please :-) I want to
> automagically
> > mount a partition at boot. Is it secure to use the crypttab key
> field? I
> > assume I would have to store the passphrase plain texting the file
> > specified in the key field, and since as I understand it the point
> of
> > partition encryption is to prevent a malicious local user with
> physical
> > access from reading the files, if the user can read the file
> specified
> > in the key field, wouldn't they then be able to decrypt the
> partition?
> > Seems to me like leaving the front door key under the doormat, but
> maybe
> > I'm just ignorant how it works. Please educate this newbie.
> Suppose you have several encrypted partitions. One of them would be
> opened normally, with a password. It would contain a file, which
> would
> be the key to automatically open the other two partitions (which can
> also be opened manually with their password).
> It is a trick to opening several partitions on boot with entering
> only
> one password.
> /etc/crypttab:
> cr_home /dev/disk/by-id/ata-something-part5 \
> none timeout=300,discard
> cr_data1 /dev/disk/by-partlabel/data_1_raw \
> /home/things/Keys/the_data_keyfile auto
> fstab:
> /dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2
> /dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail
> 1 2
> The keyfile has to be created once (4 KiB random data, for example)
> and
> added to the crypt:
> cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
> cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
> /dev/sdc1 cr_cripta
> There may be other uses, but that's the one I have.
> You could have the keyfile stored in an USB stick. To open the
> partition
> you would have to connect the USB stick first. A better procedure
> would
> be that the system would also require a passphrase to proceed, but I
> don't know how to achieve that (the mantra is one thing you have,
> one
> thing you know. Two factors).
> --
> Cheers / Saludos,
> Carlos E. R.
> (from 15.2 x86_64 at Telcontar)
> _______________________________________________
> dm-crypt mailing list -- [2]dm-crypt@saout.de
> To unsubscribe send an email to [3]dm-crypt-leave@saout.de
>
> References
>
> 1. mailto:robin.listas@telefonica.net
> 2. mailto:dm-crypt@saout.de
> 3. mailto:dm-crypt-leave@saout.de
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
prev parent reply other threads:[~2021-03-23 9:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAA2KLbZz-GMUrhzdWwsXdU3M7agw7HOV5_eo6dW26joMB4hKtQ@mail.gmail.com>
2021-03-20 23:52 ` [dm-crypt] Re: Is crypttab secure to automount a partition? Carlos E. R.
2021-03-22 16:06 ` Christopher de Vidal
2021-03-22 16:57 ` Carlos E. R.
2021-03-23 9:52 ` Arno Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210323095219.GB10136@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).