Package: cryptsetup Version: 2:1.6.6-5 Severity: wishlist Dear Maintainer,
I use cryptosetup so that I can send disks for repairs without worrying about confidential data on the disks. I would love to use cryptsetup on servers, but I need to be able to reboot the servers without having to enter the passphrase. It would be ideal to me if I could simply have a small USB stick containing a passphrase that will unlock the disk. Not only would that be handy for servers (where you could leave the USB stick in the server), it would also be great for my laptop: Insert the USB stick when booting and remove it after unlocking the cryptodisk. I have now written a patch that will search all devices for the file 'cryptkey.txt' and try decrypting with each line as a key. The patch is released under the same license as /usr/share/initramfs-tools/scripts/local-top/cryptroot I am aware of the “passdev” keyscript (/usr/share/doc/cryptsetup/README.initramfs.gz section 10). My patch has the following advantages: * It searches every partition being connected. This gives 2 advantages: - You do not need to change the line in cryptsetup, but can have that be the same for all servers. - You do not need to remember the label of the USB-disk if the USB-disk breaks. * It tries all lines as a key. This way you can unlock many machines with different keys with a single USB-disk. * It is easy to get working. Creating a USB-disk with the key can be done on a Microsoft Windows machine with no special software. So even beginners can do this. * It is safe: Trying to get passdev to work I managed to make my server unbootable - it got stuck in a loop looking for the USB-disk, and it never gave me the option to enter the key manually even though I had put in a 10 seconds timeout. It took an hour to get the system working again - and I never got passdev to work. With my patch you simply enter the passphrase as normally, if the automation fails. (I was unable to reopen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746806) /Ole -- Package-specific info: -- /proc/cmdline BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=/dev/mapper/nlv-root ro quiet -- /etc/crypttab #sda5_crypt UUID=b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b none luks luks-b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b UUID=b5da252b-d4ce-4c8b-9274-1dc6b53cbf5b none luks -- /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/nlv-root / ext4 errors=remount-ro 0 1 # /boot was on /dev/sda1 during installation UUID=944f19d7-138a-4270-b42f-a5322a57b047 /boot ext2 defaults 0 2 /dev/mapper/nlv-swap_1 none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/sdb1 /media/usb0 auto rw,user,noauto 0 0 /dev/sdb2 /media/usb1 auto rw,user,noauto 0 0 #LABEL=freeagent /mnt/freeagent auto rw,relatime,data=journal,auto 0 0 LABEL=freeagent /mnt/freeagent auto rw,relatime,data=ordered,auto 0 0 #LABEL=freeagent /mnt/freeagent auto rw,relatime,data=writeback,auto 0 0 tmpfs /mnt/ram tmpfs rw,noexec,nosuid,size=5%,mode=1777 0 0 -- lsmod Module Size Used by xt_nat 12601 1 xt_tcpudp 12527 3 veth 13095 0 xt_conntrack 12681 1 ipt_MASQUERADE 12594 2 iptable_nat 12646 1 nf_conntrack_ipv4 18448 2 nf_defrag_ipv4 12483 1 nf_conntrack_ipv4 nf_nat_ipv4 12912 1 iptable_nat xt_addrtype 12557 2 iptable_filter 12536 1 ip_tables 21711 2 iptable_filter,iptable_nat x_tables 27399 7 ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,xt_nat,iptable_filter,xt_addrtype nf_nat 18241 4 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,iptable_nat nf_conntrack 87424 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4 bridge 106162 0 stp 12437 1 bridge llc 12745 2 stp,bridge aufs 199570 277 cpufreq_powersave 12454 0 binfmt_misc 16949 1 cpufreq_stats 12782 0 cpufreq_userspace 12525 0 cpufreq_conservative 14184 0 bnep 17431 2 nfsd 262938 2 auth_rpcgss 51209 1 nfsd oid_registry 12419 1 auth_rpcgss nfs_acl 12511 1 nfsd nfs 192232 0 lockd 83389 2 nfs,nfsd fscache 45542 1 nfs sunrpc 237406 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl ecb 12737 1 btusb 29721 0 bluetooth 374429 21 bnep,btusb 6lowpan_iphc 16588 1 bluetooth hp_wmi 13238 0 iTCO_wdt 12831 0 iTCO_vendor_support 12649 1 iTCO_wdt sparse_keymap 12818 1 hp_wmi x86_pkg_temp_thermal 12951 0 intel_powerclamp 17159 0 intel_rapl 17356 0 coretemp 12820 0 kvm 392936 0 snd_hda_codec_hdmi 45118 2 iwlwifi 96547 0 cfg80211 413828 1 iwlwifi i915 841331 1 rfkill 18867 4 cfg80211,hp_wmi,bluetooth snd_hda_codec_idt 48946 1 snd_hda_codec_generic 63181 1 snd_hda_codec_idt drm_kms_helper 49210 1 i915 snd_hda_intel 26407 0 hp_accel 25200 0 tpm_infineon 16844 0 pcspkr 12595 0 joydev 17063 0 lis3lv02d 17883 1 hp_accel shpchp 31121 0 drm 249998 3 i915,drm_kms_helper snd_hda_controller 26646 1 snd_hda_intel snd_hda_codec 104500 5 snd_hda_codec_hdmi,snd_hda_codec_idt,snd_hda_codec_generic,snd_hda_intel,snd_hda_controller snd_hwdep 13148 1 snd_hda_codec wmi 17339 1 hp_wmi evdev 17445 17 snd_pcm 88662 4 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel,snd_hda_controller snd_timer 26720 1 snd_pcm snd 65338 8 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_idt,snd_pcm,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel serio_raw 12849 0 input_polldev 13118 1 lis3lv02d i2c_algo_bit 12751 1 i915 tpm_tis 17231 0 i2c_core 46012 4 drm,i915,drm_kms_helper,i2c_algo_bit tpm 31511 2 tpm_tis,tpm_infineon soundcore 13026 2 snd,snd_hda_codec video 18096 1 i915 button 12944 1 i915 battery 13356 0 lpc_ich 20768 0 mfd_core 12601 1 lpc_ich mei_me 17941 0 mei 74977 1 mei_me processor 28221 0 ac 12715 0 loop 26605 1 fuse 83350 1 parport_pc 26300 1 ppdev 16782 0 lp 17074 0 parport 35749 3 lp,ppdev,parport_pc autofs4 35529 3 ext4 481990 3 crc16 12343 2 ext4,bluetooth mbcache 17171 1 ext4 jbd2 82514 1 ext4 algif_skcipher 17349 0 af_alg 13034 1 algif_skcipher dm_crypt 22595 1 dm_mod 89405 9 dm_crypt md_mod 107672 0 tifm_7xx1 12881 0 tifm_sd 17228 0 tifm_core 13321 2 tifm_7xx1,tifm_sd mmc_block 35031 0 vfat 17135 0 fat 61986 1 vfat nls_cp437 16553 0 nls_utf8 12456 0 uhci_hcd 43499 0 sg 29973 0 sd_mod 44356 5 crc_t10dif 12431 1 sd_mod sr_mod 21903 0 crct10dif_generic 12581 0 cdrom 47424 1 sr_mod usb_storage 56215 1 crct10dif_pclmul 13387 1 crct10dif_common 12356 3 crct10dif_pclmul,crct10dif_generic,crc_t10dif crc32_pclmul 12915 0 crc32c_intel 21809 0 aesni_intel 151423 3 aes_x86_64 16719 1 aesni_intel lrw 12757 1 aesni_intel gf128mul 12970 1 lrw glue_helper 12695 1 aesni_intel ablk_helper 12572 1 aesni_intel cryptd 14516 3 aesni_intel,ablk_helper ahci 33334 2 libahci 27158 1 ahci psmouse 99249 0 libata 177508 2 ahci,libahci scsi_mod 191405 5 sg,usb_storage,libata,sd_mod,sr_mod sdhci_pci 22097 0 sdhci 35161 1 sdhci_pci mmc_core 102374 4 mmc_block,sdhci,tifm_sd,sdhci_pci firewire_ohci 39523 0 firewire_core 56665 1 firewire_ohci crc_itu_t 12347 1 firewire_core ehci_pci 12512 0 ehci_hcd 69837 1 ehci_pci usbcore 195468 5 btusb,uhci_hcd,usb_storage,ehci_hcd,ehci_pci usb_common 12440 1 usbcore e1000e 212128 0 ptp 17692 1 e1000e pps_core 17225 1 ptp thermal 17559 0 thermal_sys 27642 5 video,intel_powerclamp,thermal,processor,x86_pkg_temp_thermal -- System Information: Debian Release: 8.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cryptsetup depends on: ii cryptsetup-bin 2:1.6.6-5 ii debconf [debconf-2.0] 1.5.56 ii dmsetup 2:1.02.90-2.2+deb8u1 ii libc6 2.19-18+deb8u9 Versions of packages cryptsetup recommends: ii busybox 1:1.22.0-9+deb8u1 ii console-setup 1.123 ii initramfs-tools [linux-initramfs-tool] 0.120+deb8u3 ii kbd 1.15.5-2 Versions of packages cryptsetup suggests: ii dosfstools 3.0.27-1 pn keyutils <none> ii liblocale-gettext-perl 1.05-8+b1 -- debconf information excluded
