I want to use ssss to boot as well. I'm working on a solution in fedora right now. In debian I would use the keyscript= option in crypttab, but that doesn't appear to be available in fedora.
Thoughts on how to do it: It would be awesome to have LUKS itself support some kind of ssss, I'd do it through configuring n keyslots, t of which need to be unlocked to be able to ssss-combine. Each unlocked keyslot would yield an ssss share. A few cons with this approach. * It uses a lot of keyslots (only 8 are available, fewer if you want to maintain one or two "normal" keyslots) * It's a request for LUKS itself which puts it out of the distro's domain * It would require a whole new version of LUKS, changed headers and all that. Ought to be able to make it backwards compatible at first glance, though. * And thus would require updated cryptsetup support in the initramfs A more ready solution would be to use ssss to yield the passphrase/keyfile to unlock a keyslot. The only thing needed for this is: * ssss-combine support (executables and dependencies) * A script to gather the tokens/shares for combination * A way to provide the script with arguments for threshold (how many shares to gather) and where to get them (e.g. cryptroot-ask) or as "keyfiles", or a combination. The current approach I'm taking in fedora dracut is to pass a filename on the cmdline. This file contains a list of possible locations to find tokens. This would probably be removable devices like pen drives. For example you could have 5 usb sticks and require 2 of them to boot automatically. Keep one in the docking station at work, one on your keys, one at home, etc. I've even toyed with the idea of fetching a token off a network share, so if you're on your internal work network, you can have one fewer token required. You could even store passphrase protected tokens in /boot or in the initramfs itself, for which it will ask for the passphrases if it failed to gather enough tokens automatically. It's a very cool idea and a fun project so far. The hardest part so far is how to insert the combine script in the unlocking process, and maybe including ssss-combine in the initramfs (haven't got there yet, no idea how hard it might be). Another thought would be to have a passphrase dialog and token file discovery going asynchronously, so it can be ready to take a passphrase if you want to just move along, or if you forgot to and then just plug in your usb stick while the passphrase prompt is up, it still finds the tokens and continues, taking down the passphrase prompt. That would probably be harder, still. -- Get the hell out of my way! -- John Galt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
