[dm-crypt] Re: Is crypttab secure to automount a partition?

[dm-crypt] Re: Is crypttab secure to automount a partition?

[Carlos E. R.]

[-- Attachment #1.1.1: Type: text/plain, Size: 2180 bytes --]

On 20/03/2021 17.43, Christopher de Vidal wrote:
> I am a newbie with this so go gentle please :-) I want to automagically 
> mount a partition at boot. Is it secure to use the crypttab key field? I 
> assume I would have to store the passphrase plain texting the file 
> specified in the key field, and since as I understand it the point of 
> partition encryption is to prevent a malicious local user with physical 
> access from reading the files, if the user can read the file specified 
> in the key field, wouldn't they then be able to decrypt the partition? 
> Seems to me like leaving the front door key under the doormat, but maybe 
> I'm just ignorant how it works. Please educate this newbie.

Suppose you have several encrypted partitions. One of them would be 
opened normally, with a password. It would contain a file, which would 
be the key to automatically open the other two partitions (which can 
also be opened manually with their password).

It is a trick to opening several partitions on boot with entering only 
one password.

/etc/crypttab:

cr_home      /dev/disk/by-id/ata-something-part5  \
     none  timeout=300,discard

cr_data1    /dev/disk/by-partlabel/data_1_raw     \
       /home/things/Keys/the_data_keyfile   auto


fstab:

/dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
/dev/mapper/cr_data1   /data/data_1  xfs  user,lazytime,exec,nofail 
   1  2




The keyfile has to be created once (4 KiB random data, for example) and 
added to the crypt:

cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile

cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
      /dev/sdc1 cr_cripta






There may be other uses, but that's the one I have.

You could have the keyfile stored in an USB stick. To open the partition 
you would have to connect the USB stick first. A better procedure would 
be that the system would also require a passphrase to proceed, but I 
don't know how to achieve that (the mantra is one thing you have, one 
thing you know. Two factors).



-- 
Cheers / Saludos,

		Carlos E. R.
		(from 15.2 x86_64 at Telcontar)


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is crypttab secure to automount a partition?

[Christopher de Vidal]

[-- Attachment #1.1: Type: text/plain, Size: 2786 bytes --]

That's very cool. But I get the impression from your response that there is
no way to automount securely? E.g. at least one password entry is always
required.

Christopher de Vidal

Would you consider yourself a good person? Have you ever taken the 'Good
Person' test? It's a fascinating five minute quiz. Google it.


On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net>
wrote:

> On 20/03/2021 17.43, Christopher de Vidal wrote:
> > I am a newbie with this so go gentle please :-) I want to automagically
> > mount a partition at boot. Is it secure to use the crypttab key field? I
> > assume I would have to store the passphrase plain texting the file
> > specified in the key field, and since as I understand it the point of
> > partition encryption is to prevent a malicious local user with physical
> > access from reading the files, if the user can read the file specified
> > in the key field, wouldn't they then be able to decrypt the partition?
> > Seems to me like leaving the front door key under the doormat, but maybe
> > I'm just ignorant how it works. Please educate this newbie.
>
> Suppose you have several encrypted partitions. One of them would be
> opened normally, with a password. It would contain a file, which would
> be the key to automatically open the other two partitions (which can
> also be opened manually with their password).
>
> It is a trick to opening several partitions on boot with entering only
> one password.
>
> /etc/crypttab:
>
> cr_home      /dev/disk/by-id/ata-something-part5  \
>      none  timeout=300,discard
>
> cr_data1    /dev/disk/by-partlabel/data_1_raw     \
>        /home/things/Keys/the_data_keyfile   auto
>
>
> fstab:
>
> /dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
> /dev/mapper/cr_data1   /data/data_1  xfs  user,lazytime,exec,nofail
>    1  2
>
>
>
>
> The keyfile has to be created once (4 KiB random data, for example) and
> added to the crypt:
>
> cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
>
> cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
>       /dev/sdc1 cr_cripta
>
>
>
>
>
>
> There may be other uses, but that's the one I have.
>
> You could have the keyfile stored in an USB stick. To open the partition
> you would have to connect the USB stick first. A better procedure would
> be that the system would also require a passphrase to proceed, but I
> don't know how to achieve that (the mantra is one thing you have, one
> thing you know. Two factors).
>
>
>
> --
> Cheers / Saludos,
>
>                 Carlos E. R.
>                 (from 15.2 x86_64 at Telcontar)
>
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
>

[-- Attachment #1.2: Type: text/html, Size: 3857 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is crypttab secure to automount a partition?

[Carlos E. R.]

[-- Attachment #1.1.1: Type: text/plain, Size: 740 bytes --]

On 22/03/2021 17.06, Christopher de Vidal wrote:
> That's very cool. But I get the impression from your response that there 
> is no way to automount securely? E.g. at least one password entry is 
> always required.

I don't see how... If you get automount working, it has to get/read the 
key from somewhere that is accessible before mounting, and automatically.

Maybe it could be a challenge-response questionnaire to a remote server, 
say an ssh session, and it is the remote server which sends the key. But 
if an attacker is present, he could replace the machine or the ssh 
client with another of his own to obtain and store the key.




-- 
Cheers / Saludos,

		Carlos E. R.
		(from 15.2 x86_64 at Telcontar)


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

[dm-crypt] Re: Is crypttab secure to automount a partition?

[Arno Wagner]

You can hardcode a passphrase in an initrd, put that on an USB key
and remove the USB after boot. (We had that as an emergency procedure
for a reboot in a DC-setup. The USB-Key was locked in a safe 
tro secure it.)

Something needs to be provided, either a secret or a token, there
is no security without that.

Regards,
Arno

On Mon, Mar 22, 2021 at 17:06:01 CET, Christopher de Vidal wrote:
>    That's very cool. But I get the impression from your response that
>    there is no way to automount securely? E.g. at least one password entry
>    is always required.
>    Christopher de Vidal
>    Would you consider yourself a good person? Have you ever taken the
>    'Good Person' test? It's a fascinating five minute quiz. Google it.
> 
>    On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R.
>    <[1]robin.listas@telefonica.net> wrote:
> 
>      On 20/03/2021 17.43, Christopher de Vidal wrote:
>      > I am a newbie with this so go gentle please :-) I want to
>      automagically
>      > mount a partition at boot. Is it secure to use the crypttab key
>      field? I
>      > assume I would have to store the passphrase plain texting the file
>      > specified in the key field, and since as I understand it the point
>      of
>      > partition encryption is to prevent a malicious local user with
>      physical
>      > access from reading the files, if the user can read the file
>      specified
>      > in the key field, wouldn't they then be able to decrypt the
>      partition?
>      > Seems to me like leaving the front door key under the doormat, but
>      maybe
>      > I'm just ignorant how it works. Please educate this newbie.
>      Suppose you have several encrypted partitions. One of them would be
>      opened normally, with a password. It would contain a file, which
>      would
>      be the key to automatically open the other two partitions (which can
>      also be opened manually with their password).
>      It is a trick to opening several partitions on boot with entering
>      only
>      one password.
>      /etc/crypttab:
>      cr_home      /dev/disk/by-id/ata-something-part5  \
>           none  timeout=300,discard
>      cr_data1    /dev/disk/by-partlabel/data_1_raw     \
>             /home/things/Keys/the_data_keyfile   auto
>      fstab:
>      /dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
>      /dev/mapper/cr_data1   /data/data_1  xfs  user,lazytime,exec,nofail
>         1  2
>      The keyfile has to be created once (4 KiB random data, for example)
>      and
>      added to the crypt:
>      cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
>      cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
>            /dev/sdc1 cr_cripta
>      There may be other uses, but that's the one I have.
>      You could have the keyfile stored in an USB stick. To open the
>      partition
>      you would have to connect the USB stick first. A better procedure
>      would
>      be that the system would also require a passphrase to proceed, but I
>      don't know how to achieve that (the mantra is one thing you have,
>      one
>      thing you know. Two factors).
>      --
>      Cheers / Saludos,
>                      Carlos E. R.
>                      (from 15.2 x86_64 at Telcontar)
>      _______________________________________________
>      dm-crypt mailing list -- [2]dm-crypt@saout.de
>      To unsubscribe send an email to [3]dm-crypt-leave@saout.de
> 
> References
> 
>    1. mailto:robin.listas@telefonica.net
>    2. mailto:dm-crypt@saout.de
>    3. mailto:dm-crypt-leave@saout.de

> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de