[dm-crypt] Re: Is crypttab secure to automount a partition?

From: Christopher de Vidal <cbdevidal.jk1@gmail.com>
To: "Carlos E. R." <robin.listas@telefonica.net>
Cc: dm-crypt mail list <dm-crypt@saout.de>
Subject: [dm-crypt] Re: Is crypttab secure to automount a partition?
Date: Mon, 22 Mar 2021 12:06:01 -0400	[thread overview]
Message-ID: <CAA2KLbbt2inBrS0BJF-8vzp_J3hdbaCpzR-XvA+792Kic2CNMA@mail.gmail.com> (raw)
In-Reply-To: <fe483009-b0fe-1b5a-5a3c-36039f904ac0@telefonica.net>

[-- Attachment #1.1: Type: text/plain, Size: 2786 bytes --]

That's very cool. But I get the impression from your response that there is
no way to automount securely? E.g. at least one password entry is always
required.

Christopher de Vidal

Would you consider yourself a good person? Have you ever taken the 'Good
Person' test? It's a fascinating five minute quiz. Google it.

On Sat, Mar 20, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net>
wrote:

> On 20/03/2021 17.43, Christopher de Vidal wrote:
> > I am a newbie with this so go gentle please :-) I want to automagically
> > mount a partition at boot. Is it secure to use the crypttab key field? I
> > assume I would have to store the passphrase plain texting the file
> > specified in the key field, and since as I understand it the point of
> > partition encryption is to prevent a malicious local user with physical
> > access from reading the files, if the user can read the file specified
> > in the key field, wouldn't they then be able to decrypt the partition?
> > Seems to me like leaving the front door key under the doormat, but maybe
> > I'm just ignorant how it works. Please educate this newbie.
>
> Suppose you have several encrypted partitions. One of them would be
> opened normally, with a password. It would contain a file, which would
> be the key to automatically open the other two partitions (which can
> also be opened manually with their password).
>
> It is a trick to opening several partitions on boot with entering only
> one password.
>
> /etc/crypttab:
>
> cr_home      /dev/disk/by-id/ata-something-part5  \
>      none  timeout=300,discard
>
> cr_data1    /dev/disk/by-partlabel/data_1_raw     \
>        /home/things/Keys/the_data_keyfile   auto
>
>
> fstab:
>
> /dev/mapper/cr_home    /home  xfs  lazytime,exec,nofail   1  2
> /dev/mapper/cr_data1   /data/data_1  xfs  user,lazytime,exec,nofail
>    1  2
>
>
>
>
> The keyfile has to be created once (4 KiB random data, for example) and
> added to the crypt:
>
> cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile
>
> cryptsetup luksOpen --key-file=/home/things/Keys/the_data_keyfile \
>       /dev/sdc1 cr_cripta
>
>
>
>
>
>
> There may be other uses, but that's the one I have.
>
> You could have the keyfile stored in an USB stick. To open the partition
> you would have to connect the USB stick first. A better procedure would
> be that the system would also require a passphrase to proceed, but I
> don't know how to achieve that (the mantra is one thing you have, one
> thing you know. Two factors).
>
>
>
> --
> Cheers / Saludos,
>
>                 Carlos E. R.
>                 (from 15.2 x86_64 at Telcontar)
>
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
>

[-- Attachment #1.2: Type: text/html, Size: 3857 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de