[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Encrytped root with "mount-slusky"?

To: Ben Slusky <sluskyb@paranoiacs.org>
Subject: Encrytped root with "mount-slusky"?
From: Boyd Waters <bwaters+moz@nrao.edu>
Date: Tue, 02 Sep 2003 23:18:58 -0600
CC: linux-crypto@nl.linux.org, mike@flyn.org
In-Reply-To: <20030807221453.GA3322@fukurou.paranoiacs.org>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Organization: National Radio Astronomy Observatory
Original-Recipient: rfc822;linux-crypto-archive@nl.linux.org
References: <20030807221453.GA3322@fukurou.paranoiacs.org>
Sender: linux-crypto-bounce@nl.linux.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030822

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ben Slusky wrote:

| I've cut out xgetpass() entirely. Now that hashing is done outside
| losetup, there's no sense in reading any more than LO_KEY_SIZE bytes.
| So if we're given an fd or an external program then we do a plain old
| read(2), otherwise a plain old getpass(3).

Ben:

Thanks for these patches!

I have been working on encrypted-root, with the password mangled via gpg
key pairs.

I can get everything to work (almost) with a "stock" util-linux-2.12 via
the following losetup chain:

gpg --homedir /mnt/usb/.gnupg \
~ -d /mnt/usb/.gnupg/hard-disk-keyfile.gpg | \
~ losetup -e twofish -p 0 /dev/loop/5 $DATA

This works -- *until* you try to run something like this from PID 1
(init), for example in a pivot_root set-up script at boot time. When you
do that, you don't have a TTY, and GPG will die with "can't open /dev/tty".

So I need something like Jari's lomount patch, which expands the getpass
~ functions in lomount to call GPG (with the --no-tty option, and using
xgetpass).

Is there some way to merge the two approaches? Or to use your approach
with GPG that I am missing?

Thanks!

- - boyd

Boyd Waters
http://www.aoc.nrao.edu/~bwaters/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/VXnB0is8k1r0QeURAnAkAJ9yKkSouwyHwNabOd5B1Q2r+90zHgCfcwRw
1gkcPPNMuOMtpmsbpGYGS80=
=L1R5
-----END PGP SIGNATURE-----

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Encrytped root with "mount-slusky"?
  - From: Ben Slusky <sluskyb@paranoiacs.org>

Prev by Date: =?GB2312?B?vfHE6tbQx++92rK7y83UwrH9?=
Next by Date: VIRUS IN YOUR MAIL
Prev by thread: =?GB2312?B?vfHE6tbQx++92rK7y83UwrH9?=
Next by thread: Re: Encrytped root with "mount-slusky"?
Index(es):
- Date
- Thread