From: Christopher de Vidal <cbdevidal.jk1@gmail.com>
To: "Carlos E. R." <robin.listas@telefonica.net>
Cc: dm-crypt mail list <dm-crypt@saout.de>
Subject: [dm-crypt] Re: Is crypttab secure to automount a partition?
Date: Mon, 22 Mar 2021 12:06:01 -0400 [thread overview]
Message-ID: <CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com> (raw)
In-Reply-To: <fe483009-b0fe-1b5a-5a3c-36039f904ac0@telefonica.net>
[-- Attachment #1.1: Type: text/plain, Size: 2786 bytes --]
That's very cool. But I get the impression from your response that there is
no way to automount securely? E.g. at least one password entry is always
required.
Christopher de Vidal
Would you consider yourself a good person? Have you ever taken the 'Good
Person' test? It's a fascinating five minute quiz. Google it.
On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net>
wrote:
> On 20/03/2021 17.43, Christopher de Vidal wrote:
> > I am a newbie with this so go gentle please :-) I want to automagically
> > mount a partition at boot. Is it secure to use the crypttab key field? I
> > assume I would have to store the passphrase plain texting the file
> > specified in the key field, and since as I understand it the point of
> > partition encryption is to prevent a malicious local user with physical
> > access from reading the files, if the user can read the file specified
> > in the key field, wouldn't they then be able to decrypt the partition?
> > Seems to me like leaving the front door key under the doormat, but maybe
> > I'm just ignorant how it works. Please educate this newbie.
>
> Suppose you have several encrypted partitions. One of them would be
> opened normally, with a password. It would contain a file, which would
> be the key to automatically open the other two partitions (which can
> also be opened manually with their password).
>
> It is a trick to opening several partitions on boot with entering only
> one password.
>
> /etc/crypttab:
>
> cr_home /dev/disk/by-id/ata-something-part5 \
> none timeout=300,discard
>
> cr_data1 /dev/disk/by-partlabel/data_1_raw \
> /home/things/Keys/the_data_keyfile auto
>
>
> fstab:
>
> /dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2
> /dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail
> 1 2
>
>
>
>
> The keyfile has to be created once (4 KiB random data, for example) and
> added to the crypt:
>
> cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
>
> cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
> /dev/sdc1 cr_cripta
>
>
>
>
>
>
> There may be other uses, but that's the one I have.
>
> You could have the keyfile stored in an USB stick. To open the partition
> you would have to connect the USB stick first. A better procedure would
> be that the system would also require a passphrase to proceed, but I
> don't know how to achieve that (the mantra is one thing you have, one
> thing you know. Two factors).
>
>
>
> --
> Cheers / Saludos,
>
> Carlos E. R.
> (from 15.2 x86_64 at Telcontar)
>
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
>
[-- Attachment #1.2: Type: text/html, Size: 3857 bytes --]
[-- Attachment #2: Type: text/plain, Size: 147 bytes --]
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2021-03-22 16:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAA2KLbZz-GMUrhzdWwsXdU3M7agw7HOV5_eo6dW26joMB4hKtQ@mail.gmail.com>
2021-03-20 23:52 ` [dm-crypt] Re: Is crypttab secure to automount a partition? Carlos E. R.
2021-03-22 16:06 ` Christopher de Vidal [this message]
2021-03-22 16:57 ` Carlos E. R.
2021-03-23 9:52 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com \
--to=cbdevidal.jk1@gmail.com \
--cc=dm-crypt@saout.de \
--cc=robin.listas@telefonica.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).