[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Loop-AES: Question for Password when none is needed

To: Matthias Schniedermeyer <ms@xxxxxxx>
Subject: Re: Loop-AES: Question for Password when none is needed
From: Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Feb 2007 17:37:09 +0200
Cc: linux-crypto@xxxxxxxxxxxx
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <45D2425E.2060909@citd.de>
Sender: linux-crypto-bounce@xxxxxxxxxxxx

Matthias Schniedermeyer wrote:
> When i use a key-file that is only 'gpg --store -a', for e.x. because
> the key-file is stored inside an encrypted filesystem that is currently
> mounted, mount still asks for a Password where anything can be typed.

I hope that for security reasons you are using a different key file for each
automounted file system. If you are mounting removable media, then encrypted
key file must be stored on same media. Passphrase-less key file on same
media won't provide any security.

> What makes this not beautiful is that it can only be short-circuited
> with -p <whatever>. But that doesn't fly with autofs map-type rule. You
> can only provide "-o <whatever>" options that are passed down to mount.
> Naturally redirecting stderr isn't possible either.

I don't know what automounter implementation you are using, but BSD amd
automounter that I am using lets admin configure a program or script to do
the actual mount operation.

> The mount succeeds, because nothing can be read from STDIN as i guess
> there is no STDIN, so the mount continues.
> But every time an encrypted automount happens i get an ugly
> ... automount[1441]: >> Password:
> line in syslog.

I don't see such messages on my box.

Below are some config lines from my test box that I set up to automount
encrypted floppy. First 8192 bytes of each floppy is used to store gpg
encrypted key file. Here is mount point definition in /etc/am-utils/amd.conf
file:

[/a]
  map_name = /etc/am-utils/amd.a

Here is map entry in /etc/am-utils/amd.a file:

fd0-crypt   type:=program;fs:=/floppy;mount:="/etc/am-utils/cryptmount.sh /etc/am-utils/cryptmount.sh ext2 /dev/fd0 /floppy /dev/loop0";unmount:="/bin/umount umount /floppy"

Here is root-only executable shell script in /etc/am-utils/cryptmount.sh file:

#!/bin/sh
/bin/mount -t $1 $2 $3 -o encryption=AES128,gpgkey=$2,offset=8192,loop=$4 -p3 3</tmp/clearpassword

Here is a script that I used to create encrypted floppy:

#!/bin/bash
DEV=/dev/fd0
LOOP=/dev/loop7
set -v
set -e
yes "" | dd of=${DEV} bs=512 count=16 conv=notrunc
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
  | gpg --symmetric -a --no-comments --no-emit-version | dd of=${DEV} conv=notrunc
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 \
  | losetup -p 0 -e AES128 -o 8192 ${LOOP} ${DEV}
dd if=/dev/zero of=${LOOP} bs=4k conv=notrunc || true
sync
losetup -d ${LOOP}
losetup -e AES128 -K ${DEV} -o 8192 ${LOOP} ${DEV}
mkfs -t ext2 -m 0 -O none ${LOOP}
losetup -d ${LOOP}

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Loop-AES: Question for Password when none is needed
  - From: Matthias Schniedermeyer

References:
- Loop-AES: Question for Password when none is needed
  - From: Matthias Schniedermeyer

Prev by Date: Loop-AES: Question for Password when none is needed
Next by Date: Re: Loop-AES: Question for Password when none is needed
Previous by thread: Loop-AES: Question for Password when none is needed
Next by thread: Re: Loop-AES: Question for Password when none is needed
Index(es):
- Date
- Thread