On 19/03/2008 Christian Pernegger wrote: > I'd like to be able to use a small USB stick as a physical "key" to my > system. There are various mini-HOWTOs and keyscripts floating around > that describe people's custom implementations of this but I think > having this as a supported feature in Debian would be better than a > bunch of custom solutions.
Hey Christian, Feel free to provide patches for your suggested implementation. At least you should provide exact documentation about how to implement it. > The following functionality would be needed: > > 1) A small tool that prepares an USB stick (or other removable media) > to be used as the "key". There's of course various ways to put the key > onto the media, at the moment I'm favouring > > - wipe the stick using badblocks -w -t random or dd if=/dev/urandom > - make a filesystem on the stick, possibly on a partition if it is > customary to partition them. This would probably be VFAT. The > partition / filesystem should be *slightly smaller* than the media, > leaving a few bytes of space, probably at the end. > - put an UUID / magic number at the start of the free space > - create the key(s) by dd-ing it / them directly from /dev/random to the free > space on the media at intervals. > - add this key as a luks key. Sounds like an interesting approach, but - as already mentioned - please at least describe step by step how to actually implement that. > 2) A keyscript that looks for the UUID / magic number on candidate > media and reads the appropriate key. The key field in /etc/crypttab > that's passed as the parameter would be of the form 'UUID:keynumber'. > > The keyscript should fallback to passphrase input on console when the > correct key is not found. That adds a safety net for lost USB key IF > you have a passphrase key defined as well. > > I realize this scheme is rather elaborate, I'd settle for a documented > and shipped-by-default keyscript that can mount partitions by > (filesystem) UUID and read the key from there. greetings, jonas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
