Sujao
l33t
Joined: 25 Sep 2004
Posts: 677
Location: Germany
|
 Posted: Sat May 02, 2009 9:45 pm Post subject: Suggestion: gpg-agent for boot sequence |
 |
|
Hi,
I was tired of entering 9 passphrases for 9 encrypted partitions at every boot so I made a modification and want you to tell me what you think about it and whether you think that it might be a security problem.
What I basically did was starting the gpg-agent /lib/rcscripts/addons/dm-crypt-start.sh and let it cache the passphrase:
"#xxx" are the lines that I added.
| Code: | ...ebegin "Setting up dm-crypt mappings"
export OLDHOME="${HOME}" #xxx
export OLDUSER="${USER}" #xxx
export HOME="/root" #xxx
export USER="root" #xxx
eval $(gpg-agent --daemon) #xxx
...
...
ewend ${cryptfs_status} "Failed to setup dm-crypt devices"
fi
export HOME="${OLDHOME}" #xxx
export USER="${OLDUSER}" #xxx
killall gpg-agent #xxx
|
$HOME and $USER need to be set for gpg to find the gpg keys in /root. This way I only have to enter my passphrase once for my root system to boot up, and then once (instead of  for gpg, the rest is opened with the help of gpg-agent automatically. Of course I could modify the initrd image to use gpg-agent too, but entering it twice is easy enough for me.
I created a gpg key pair for root and created new hdd keys for my luks partitions that are encrypted with the same passphrase that the gpg-agent caches. I added them to the LUKS partition and then put them encrypted in the root folder. They are decrypted by gpg on startup and piped to cryptsetup.
What do you think about this? |
|
Networking & Security
