| View previous topic :: View next topic |
| Author |
Message |
Sujao
l33t
Joined: 25 Sep 2004
Posts: 677
Location: Germany
|
 Posted: Mon Nov 28, 2005 10:14 am Post subject: Where to save password for short time. |
 |
|
Hi everybody!
In order to mount several encrypted partitions I need to run the cryptsetup(luks) application several times during boot process. The first one is executed in "fake" root created by a ramdisk, all following are inside the "real" envoironment after pivot_root and chroot. Cryptsetup prompts me for the password everytime. I dont want to enter the same password for every encrypted partition.
So optionally I could run cryptsetup like this
| Code: | echo "thatisthepassword" | cryptsetup luksOpen /dev/hda1
echo "thatisthepassword" | cryptsetup luksOpen /dev/hda2
echo "thatisthepassword" | cryptsetup luksOpen /dev/hda3
echo "thatisthepassword" | cryptsetup luksOpen /dev/hda4 |
In order to do that I would have to read the password with a bash script, save it to a variable and then output it like
| Code: | echo "$pass" | cryptsetup luksOpen /dev/hda
...
... |
How secure is this? Usually no network should be loaded at this time (the drives are mounted in /etc/init.d/localmount). But anyway: Is unsetting the variable afterwards enough to remove the password from memory? Or maybe there is another alternative? What do you recommend?
Last edited by Sujao on Mon Nov 28, 2005 12:25 pm; edited 1 time in total |
|
| Back to top |
|
 |
Reikinio
Apprentice
Joined: 14 Aug 2005
Posts: 203
Location: Uruguay
|
| Posted: Mon Nov 28, 2005 10:35 am Post subject: |
|
|
How about, gpg armored file with passwords hidden in a picture inside a usb flash memopry stick , also
you should encrypt the swap partition. |
|
| Back to top |
|
|
Sujao
l33t
Joined: 25 Sep 2004
Posts: 677
Location: Germany
|
| Posted: Mon Nov 28, 2005 11:00 am Post subject: |
|
|
| Cryptsetup needs the password in plain to decrypt the harddrive as needs any cipher. Swap is encrypted, too. I just didnt mention it since it's not relevant for my question. |
|
| Back to top |
|
|
Reikinio
Apprentice
Joined: 14 Aug 2005
Posts: 203
Location: Uruguay
|
| Posted: Mon Nov 28, 2005 11:47 am Post subject: |
|
|
| Quote: | Cryptsetup needs the password in plain to decrypt the harddrive as needs any cipher. Swap is encrypted, too. I just didnt mention it since it's not relevant for my question.
|
You have your root partition encrypted, right? so why don't you just save the password that you're using for the other partitions in /root and cat it to cryptsetup during boot(edit /etc/init.d/localmount). |
|
| Back to top |
|
|
Sujao
l33t
Joined: 25 Sep 2004
Posts: 677
Location: Germany
|
| Posted: Mon Nov 28, 2005 12:21 pm Post subject: |
|
|
| Thats not a good idea in my opinion, since if somebody hacks my pcby network, he would have access to the password. A password somewhere in RAM is imho much harder to find. |
|
| Back to top |
|
|
Reikinio
Apprentice
Joined: 14 Aug 2005
Posts: 203
Location: Uruguay
|
| Posted: Tue Nov 29, 2005 4:10 am Post subject: |
|
|
If somebody hacks your system via network then it's game over, it doesn't matter if it is encrypted or not, you can't trust that system again, save what you can and wipe it all.
Encrypting your hard-drives protects your system against ilegal physical attempts, nothing more(you know this  ).
So, what I do, and It seems logical to me, is having only one passphrase, which I enter during boot-time to decrypt my
/root partition, then I cat the keys file to cryptsetup to decrypt the rest(well actually is only one, for swap); the keys file is protected since it resides in the encrypted root partition.
So, that's it, then I proceed to secure my network, which is a completely different story.
| Quote: | | A password somewhere in RAM is imho much harder to find. |
Yes, I can only imagine what it would take.
btw, a couple of months ago, I found this paper in chapter 7, it talks about Random-Access Memory, it's an interesting read.
If you use the same passphrases for all your partitions, your idea(feeding a script with the passphrase and using it multiple times) should work fine, I don't see the point of it though, but do as you wish, I am by no means an expert.
Oh, and btw, iirc there is some crypto-loop file in /etc/conf.d/ , perhaps it's useful in your case, don't know.
Regards, |
|
| Back to top |
|
|
Sujao
l33t
Joined: 25 Sep 2004
Posts: 677
Location: Germany
|
| Posted: Tue Nov 29, 2005 9:11 pm Post subject: |
|
|
| Reikinio wrote: |
| Quote: | | A password somewhere in RAM is imho much harder to find. |
Yes, I can only imagine what it would take.
btw, a couple of months ago, I found this paper in chapter 7, it talks about Random-Access Memory, it's an interesting read. |
know it already
| Reikinio wrote: | | ]If you use the same passphrases for all your partitions, your idea(feeding a script with the passphrase and using it multiple times) should work fine, I don't see the point of it though, but do as you wish, I am by no means an expert. |
Why no point? As I said it is much harder to find the password in RAM than on your hardisk. Let's say I have a seperate data-partition. Even if your pc was compromised, Videos and Pictures can't be turned into trojans. So this partition would still be safe. And being paranoid I could also umount sensible partition when activating the network. In addition to that its just the bad feeling to have passwords in plain text on your harddrive.
| Reikinio wrote: | | Oh, and btw, iirc there is some crypto-loop file in /etc/conf.d/ , perhaps it's useful in your case, don't know. |
I didnt't find any user interaction there, if that is what you meant. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
