| View previous topic :: View next topic |
| Author |
Message |
ernov
n00b
Joined: 28 May 2010
Posts: 55
|
 Posted: Sat Jun 19, 2010 7:51 am Post subject: How to automagically unlock luks crypted partition? |
 |
|
Hi, I've set up encrypted partition to manage it by LUKS, added to /etc/conf.d/dmcrypt. The correct /dev/mapper file is created OK, dmcrypt starts on boot and asks password to unlock partition. Now I need it to be unlocked automatically at boot by some mechanism.
I've tried pam_mount, as in the doc from wiki, but it doesn't work.
How do you make automatic unlocking partitions on your boxes? |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sat Jun 19, 2010 8:56 am Post subject: |
|
|
do it based on an on-disk key rather than a passphrase. I personally keep my keys on a USB thumb drive (rather, it's a micro-sd in a USB adapter - a micro-sd can be swallowed, implanted under the skin, or crushed, if anyone comes banging on my door!)
http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Further_tweaks_for_USB_keyfile_authentication
works beautifully for me, full volume crypto
| Code: |
$ sudo mount |grep mapper
/dev/mapper/root on / type ext3 (rw)
/dev/mapper/share on /share type xfs (rw,nodev,logbufs=8)
/dev/mapper/kvm on /kvm type btrfs (rw)
/dev/mapper/btrfsvol on /tmp type btrfs (rw,nodev,noatime,subvol=tmp)
/dev/mapper/btrfsvol on /usr type btrfs (rw,nodev,noatime,subvol=usr,compress)
/dev/mapper/btrfsvol on /var type btrfs (rw,noatime,subvol=var,compress)
/dev/mapper/btrfsvol on /opt type btrfs (rw,noatime,subvol=opt)
/dev/mapper/btrfsvol on /home type btrfs (rw,nosuid,nodev,noatime,subvol=home,compress)
|
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
lxg
Veteran
Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany
|
| Posted: Sat Jun 19, 2010 9:31 am Post subject: |
|
|
I agree this is a good setup ... However, I would always recommend to have a passphrase setup as a backup. This is one of the key features of LUKS, having more than one key to the same ressource. Because elsewise, if you when your SD card or USB device dies, your data goes with them.
Therefore: Set up the USB/SD stuff and then immediately add another key slot with a passphrase. Then write the passphrase down, and store it in a *very* safe place. (Or don't write it down at all, and memorize it.)
_________________
lxg.de – codebits and tech talk |
|
| Back to top |
|
|
ernov
n00b
Joined: 28 May 2010
Posts: 55
|
| Posted: Sat Jun 19, 2010 12:37 pm Post subject: |
|
|
| I'd rather stay with passphrase(s), so how exactly do you do automatical unlocking of encrypted volume? |
|
| Back to top |
|
|
lxg
Veteran
Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany
|
| Posted: Sat Jun 19, 2010 4:43 pm Post subject: |
|
|
Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase. 
_________________
lxg.de – codebits and tech talk |
|
| Back to top |
|
|
ernov
n00b
Joined: 28 May 2010
Posts: 55
|
| Posted: Sat Jun 19, 2010 4:59 pm Post subject: |
|
|
| So what is this all pam_mount about? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23055
|
| Posted: Sat Jun 19, 2010 7:53 pm Post subject: |
|
|
| lxg wrote: | | Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase. |
Yes and no. To secure the system, it must not be possible for the system to boot and mount the encrypted volumes unattended. Requiring a passphrase satisfies this condition. The idea of pam_mount is that the user's password allows him to login and also to automatically decrypt the key material that protects the encrypted volume. This allows the user to enter one password instead of two: account password and container password. Technically, this means the volume does not mount at boot, but rather mounts when the relevant user logs in.
As I read the documentation, there is no need to involve /etc/conf.d/dmcrypt at all if you want the volume to be managed by pam_mount. ernov, could you post your pam_mount configuration and elaborate on how it does not work as you desire? |
|
| Back to top |
|
|
ernov
n00b
Joined: 28 May 2010
Posts: 55
|
| Posted: Sat Jun 19, 2010 8:28 pm Post subject: |
|
|
| Quote: | | This allows the user to enter one password instead of two: account password and container password. |
Yes! That's what I need. I can't imagine situation when I would need to give different passwords for every volume I'd like to open...
It's the pam_mount conf: http://pastebin.com/E6u4HxSn (alternative link cause pastebin.com seems to malfunction: http://pastebin.pl/25519). I admit I can't understand pam at all. I just want to secure my harddisk in case of stealing and prevent reading of it contents. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
