From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B441C433DB for ; Sat, 20 Mar 2021 23:55:47 +0000 (UTC) Received: from mail.server123.net (mail.server123.net [78.46.64.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7A89A61936 for ; Sat, 20 Mar 2021 23:55:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7A89A61936 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=telefonica.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de X-Virus-Scanned: amavisd-new at saout.de Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=86.109.101.171; helo=relayout04-q01.e.movistar.es; envelope-from=robin.listas@telefonica.net; receiver= Received: from relayout04-q01.e.movistar.es (relayout04-q01.e.movistar.es [86.109.101.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Sun, 21 Mar 2021 00:52:48 +0100 (CET) Received: from relayout04-redir.e.movistar.es (unknown [86.109.101.204]) by relayout04-out.e.movistar.es (Postfix) with ESMTP id 4F2yHh0YSWz202M for ; Sun, 21 Mar 2021 00:52:48 +0100 (CET) Received: from Telcontar.valinor (23.red-79-158-162.dynamicip.rima-tde.net [79.158.162.23]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: robin.listas2@telefonica.net) by relayout04.e.movistar.es (Postfix) with ESMTPSA id 4F2yHg4PCLz10qB for ; Sun, 21 Mar 2021 00:52:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by Telcontar.valinor (Postfix) with ESMTP id 229E23222D7 for ; Sun, 21 Mar 2021 00:52:47 +0100 (CET) X-Virus-Scanned: amavisd-new at valinor Received: from Telcontar.valinor ([127.0.0.1]) by localhost (telcontar.valinor [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7ZmxvVCyDoFz for ; Sun, 21 Mar 2021 00:52:47 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by Telcontar.valinor (Postfix) with ESMTP id 062883222D6 for ; Sun, 21 Mar 2021 00:52:46 +0100 (CET) To: dm-crypt mail list References: From: "Carlos E. R." Message-ID: Date: Sun, 21 Mar 2021 00:52:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: X-TnetOut-Country: IP: 79.158.162.23 | Country: ES X-TnetOut-Information: AntiSPAM and AntiVIRUS on relayout04 X-TnetOut-MsgID: 4F2yHg4PCLz10qB.ABF76 X-TnetOut-SpamCheck: no es spam (whitelisted), clean X-TnetOut-From: robin.listas@telefonica.net X-TnetOut-Watermark: 1616889167.90752@rUZuHmcmvixNVKnefvwt4g Message-ID-Hash: C3RVOHMB2IW4HKPKMDFTAYOZA7Z2KZRU X-Message-ID-Hash: C3RVOHMB2IW4HKPKMDFTAYOZA7Z2KZRU X-MailFrom: robin.listas@telefonica.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dm-crypt.saout.de-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [dm-crypt] Re: Is crypttab secure to automount a partition? List-Id: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: multipart/mixed; boundary="===============4523169814771914024==" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============4523169814771914024== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DpAkfyqHxBHWvJq7LOi1CUXyOJoKmgiAF" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DpAkfyqHxBHWvJq7LOi1CUXyOJoKmgiAF Content-Type: multipart/mixed; boundary="FSiGYCCr0KFyV6pq5kjn34AsWj2G1ItzY"; protected-headers="v1" From: "Carlos E. R." To: dm-crypt mail list Message-ID: Subject: Re: [dm-crypt] Is crypttab secure to automount a partition? References: In-Reply-To: --FSiGYCCr0KFyV6pq5kjn34AsWj2G1ItzY Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: quoted-printable On 20/03/2021 17.43, Christopher de Vidal wrote: > I am a newbie with this so go gentle please :-) I want to automagically= =20 > mount a partition at boot. Is it secure to use the crypttab key field? = I=20 > assume I would have to store the passphrase plain texting the file=20 > specified in the key field, and since as I understand it the point of=20 > partition encryption is to prevent a malicious local user with physical= =20 > access from reading the files, if the user can read the file specified = > in the key field, wouldn't they then be able to decrypt the partition? = > Seems to me like leaving the front door key under the doormat, but mayb= e=20 > I'm just ignorant how it works. Please educate this newbie. Suppose you have several encrypted partitions. One of them would be=20 opened normally, with a password. It would contain a file, which would=20 be the key to automatically open the other two partitions (which can=20 also be opened manually with their password). It is a trick to opening several partitions on boot with entering only=20 one password. /etc/crypttab: cr_home /dev/disk/by-id/ata-something-part5 \ none timeout=3D300,discard cr_data1 /dev/disk/by-partlabel/data_1_raw \ /home/things/Keys/the_data_keyfile auto fstab: /dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2 /dev/mapper/cr_data1 /data/data_1 xfs user,lazytime,exec,nofail=20 1 2 The keyfile has to be created once (4 KiB random data, for example) and=20 added to the crypt: cryptsetup luksAddKey /dev/sdc1 /home/things/Keys/the_data_keyfile cryptsetup luksOpen --key-file=3D/home/things/Keys/the_data_keyfile \ /dev/sdc1 cr_cripta There may be other uses, but that's the one I have. You could have the keyfile stored in an USB stick. To open the partition = you would have to connect the USB stick first. A better procedure would=20 be that the system would also require a passphrase to proceed, but I=20 don't know how to achieve that (the mantra is one thing you have, one=20 thing you know. Two factors). --=20 Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar) --FSiGYCCr0KFyV6pq5kjn34AsWj2G1ItzY-- --DpAkfyqHxBHWvJq7LOi1CUXyOJoKmgiAF Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYFaKzgUDAAAAAAAKCRC1MxgcbY1H1QX8 AJ97hJ14tgy0ybckRO1+Dd4G3cxkawCeMBCFZoeoV6IXNE/nbh4zdXRKwwg= =DdHQ -----END PGP SIGNATURE----- --DpAkfyqHxBHWvJq7LOi1CUXyOJoKmgiAF-- --===============4523169814771914024== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de --===============4523169814771914024==--