Package: cryptsetup Version: 20050111-4 Severity: wishlist In the attachment is a patch and a tool.
The patch include support to use encrypted ssl-key/s at the boot-up process. The modificated initscript will them ask for a password and decrypt it in a defined $PATH which is mounted as a tmpfs. If there are more keys with the same encrypted password, the initscript want to ask once. The other modification is from the /etc/init.d/lvm-common script. It changes the usermod in /dev/mapper/<cdisks>. The tool create a double encrypted key with 'openssl' for use with the cryptsetup initscript. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff -ruN old/etc/default/cryptdisks new/etc/default/cryptdisks
--- old/etc/default/cryptdisks 2005-11-15 00:12:49.000000000 +0100
+++ new/etc/default/cryptdisks 2006-01-22 21:53:45.000000000 +0100
@@ -1,2 +1,21 @@
# Run cryptdisks at startup ?
CRYPTDISKS_ENABLE=Yes
+
+# Path where the keys are.
+SRCPATH=/etc/disk-keys
+
+# Path for the keys which are declared in /etc/crypttab.
+DSTPATH=/tmp
+
+# Keys to use
+#KEYS="backups.key home.key var.key"
+
+# The format of /dev/mapper/<device> is
+# MODE_<device>="<user>:<group> <mode>"
+#
+# eg:
+#
+# MODE_cswap="root:disk 660"
+#
+# Sets the protection of /dev/mapper/cswap to 0660 and makes it owned by user
+# "root" and group "disk".
diff -ruN old/etc/init.d/cryptdisks new/etc/init.d/cryptdisks
--- old/etc/init.d/cryptdisks 2005-11-15 00:12:49.000000000 +0100
+++ new/etc/init.d/cryptdisks 2006-01-30 18:51:59.000000000 +0100
@@ -12,6 +12,10 @@
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO
+#
+# Modified by Markus Nass <[EMAIL PROTECTED]>
+# to use double encrypted key/s by 'openssl'.
+#
CRYPTCMD=/sbin/cryptsetup
DEVMAPCMD=/sbin/dmsetup
@@ -32,8 +36,52 @@
$DEVMAPCMD mknodes
+decrypt() {
+ OLDUMASK=`umask`
+ umask 0077
+
+ for KEY in $KEYS; do
+ while ( ! openssl enc -aes256 -d -salt -in $SRCPATH/$KEY \
+ -out $DSTPATH/$KEY.tmp -k $PASSWORD > /dev/null 2>&1 );
do
+ echo -n "Password of '$SRCPATH/$KEY': "
+ read -s PASSWORD; echo
+
+ if [ "$PASSWORD" = "" ]; then
+ return 0
+ fi
+ done
+
+ while ( ! openssl dsa -in $DSTPATH/$KEY.tmp -out $DSTPATH/$KEY \
+ -passin pass:$PASSWORD > /dev/null 2>&1 ); do
+ echo -n "Password of '$DSTPATH/$KEY.tmp': "
+ read -s PASSWORD; echo
+
+ if [ "$PASSWORD" = "" ]; then
+ return 0
+ fi
+ done
+ done
+
+ rm -f $DSTPATH/*.key.tmp
+ PASSWORD=""
+ umask $OLDUMASK
+}
+
case "$1" in
start)
+ if [ ! "$KEYS" = "" ]; then
+ # Important to decrypt the disk-keys.
+ if [ "$(grep -c "\/usr" /etc/fstab)" = "1" ] && \
+ [ "$(grep -c "\/usr" /etc/mtab)" = "0" ]; then
+ mount /usr
+ touch /mounted
+ fi
+
+ mount -t tmpfs tmpfs $DSTPATH > /dev/null 2>&1
+
+ test -f /usr/bin/openssl && decrypt
+ fi
+
echo -n "Starting crypto disks:"
egrep -v "^[[:space:]]*(#|$)" $TABFILE | while read dst src key opt; do
echo -n " $dst"
@@ -161,6 +209,29 @@
fi
fi
done
+
+ for MODEVAR in ${!MODE_*}; do
+ eval MODE=\$$MODEVAR
+ DEV=${MODEVAR//_/-}
+ DEV="/dev/mapper/${DEV#MODE-}"
+ MOD=${MODE#* }
+ OWN=${MODE% *}
+ chmod $MOD $DEV
+ chown $OWN $DEV
+ done
+
+ for KEY in $KEYS; do
+ rm -f $DSTPATH/$KEY
+ done
+
+ umount -f $DSTPATH > /dev/null 2>&1
+
+ # Important to check and repair the file system.
+ if [ -f /mounted ]; then
+ umount -f /usr
+ rm -f /mounted
+ fi
+
echo "."
;;
stop)
createkey.gz
Description: Binary data
signature.asc
Description: Digital signature
