From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=3VlH=IV=saout.de=dm-crypt-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 26C17C433DB
	for <dm-crypt@archiver.kernel.org>; Tue, 23 Mar 2021 09:55:14 +0000 (UTC)
Received: from mail.server123.net (mail.server123.net [78.46.64.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 90ADF619BD
	for <dm-crypt@archiver.kernel.org>; Tue, 23 Mar 2021 09:55:13 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 90ADF619BD
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=wagner.name
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de
X-Virus-Scanned: amavisd-new at saout.de
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=84.19.178.47; helo=v1.tansi.org; envelope-from=arno@wagner.name; receiver=<UNKNOWN> 
Received: from v1.tansi.org (mail.tansi.org [84.19.178.47])
	by mail.server123.net (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Tue, 23 Mar 2021 10:52:20 +0100 (CET)
Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245])
	by v1.tansi.org (Postfix) with ESMTPA id 6805C140155
	for <dm-crypt@saout.de>; Tue, 23 Mar 2021 10:52:21 +0100 (CET)
Received: by gatewagner.dyndns.org (Postfix, from userid 1000)
	id AA31A17A27E; Tue, 23 Mar 2021 10:52:19 +0100 (CET)
Date: Tue, 23 Mar 2021 10:52:19 +0100
From: Arno Wagner <arno@wagner.name>
To: dm-crypt mail list <dm-crypt@saout.de>
Message-ID: <20210323095219.GB10136@tansi.org>
Mail-Followup-To: dm-crypt mail list <dm-crypt@saout.de>
References: <CAA2KLbZz-GMUrhzdWwsXdU3M7agw7HOV5_eo6dW26joMB4hKtQ@mail.gmail.com>
 <fe483009-b0fe-1b5a-5a3c-36039f904ac0@telefonica.net>
 <CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Message-ID-Hash: DOOM5ECSDCNAH7YCNWYINPONR2FYO4N6
X-Message-ID-Hash: DOOM5ECSDCNAH7YCNWYINPONR2FYO4N6
X-MailFrom: arno@wagner.name
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dm-crypt.saout.de-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [dm-crypt] Re: Is crypttab secure to automount a partition?
List-Id: <dm-crypt.saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Post: <mailto:dm-crypt@saout.de>
List-Subscribe: <mailto:dm-crypt-join@saout.de>
List-Unsubscribe: <mailto:dm-crypt-leave@saout.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit


You can hardcode a passphrase in an initrd, put that on an USB key
and remove the USB after boot. (We had that as an emergency procedure
for a reboot in a DC-setup. The USB-Key was locked in a safe 
tro secure it.)

Something needs to be provided, either a secret or a token, there
is no security without that.

Regards,
Arno

On Mon, Mar 22, 2021 at 17:06:01 CET, Christopher de Vidal wrote:
>    That's very cool. But I get the impression from your response that
>    there is no way to automount securely? E.g. at least one password entry
>    is always required.
>    Christopher de Vidal
>    Would you consider yourself a good person? Have you ever taken the
>    'Good Person' test? It's a fascinating five minute quiz. Google it.
> 
>    On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R.
>    <[1]robin.listas@telefonica.net> wrote:
> 
>      On 20/03/2021 17.43, Christopher de Vidal wrote:
>      > I am a newbie with this so go gentle please :-) I want to
>      automagically
>      > mount a partition at boot. Is it secure to use the crypttab key
>      field? I
>      > assume I would have to store the passphrase plain texting the file
>      > specified in the key field, and since as I understand it the point
>      of
>      > partition encryption is to prevent a malicious local user with
>      physical
>      > access from reading the files, if the user can read the file
>      specified
>      > in the key field, wouldn't they then be able to decrypt the
>      partition?
>      > Seems to me like leaving the front door key under the doormat, but
>      maybe
>      > I'm just ignorant how it works. Please educate this newbie.
>      Suppose you have several encrypted partitions. One of them would be
>      opened normally, with a password. It would contain a file, which
>      would
>      be the key to automatically open the other two partitions (which can
>      also be opened manually with their password).
>      It is a trick to opening several partitions on boot with entering
>      only
>      one password.
>      /etc/crypttab:
>      cr_home      /dev/disk/by-id/ata-something-part5  \
>           none  timeout=300,discard
>      cr_data1    /dev/disk/by-partlabel/data_1_raw     \
>             /home/things/Keys/the_data_keyfile   auto
>      fstab:
>      /dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
>      /dev/mapper/cr_data1   /data/data_1  xfs  user,lazytime,exec,nofail
>         1  2
>      The keyfile has to be created once (4 KiB random data, for example)
>      and
>      added to the crypt:
>      cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
>      cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
>            /dev/sdc1 cr_cripta
>      There may be other uses, but that's the one I have.
>      You could have the keyfile stored in an USB stick. To open the
>      partition
>      you would have to connect the USB stick first. A better procedure
>      would
>      be that the system would also require a passphrase to proceed, but I
>      don't know how to achieve that (the mantra is one thing you have,
>      one
>      thing you know. Two factors).
>      --
>      Cheers / Saludos,
>                      Carlos E. R.
>                      (from 15.2 x86_64 at Telcontar)
>      _______________________________________________
>      dm-crypt mailing list -- [2]dm-crypt@saout.de
>      To unsubscribe send an email to [3]dm-crypt-leave@saout.de
> 
> References
> 
>    1. mailto:robin.listas@telefonica.net
>    2. mailto:dm-crypt@saout.de
>    3. mailto:dm-crypt-leave@saout.de

> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de