Bug#617311: please integrate ssss with cryptsetup and initramfs-tools

[Daniel Kahn Gillmor]

Package: ssss
Version: 0.5-2
Severity: wishlist

cryptsetup integrates well with initramfs-tools to allow block device
decryption from the initramfs to allow booting on an encrypted root
filesystem.

One common use case there is where the underlying block device uses
LUKS headers.

It would be nice to have SSSS available as an option there too, so
that the cleartext block device could not be accessed without
coordinated cooperation of some number of parties.

This might involve staking out a claim for some configuration space in
the LUKS header to indicate that a given keySlot should be unlocked
using SSSS instead of (in addition to?) the PBKDF, and then ensuring
that ssss-combine (and its dependencies -- gmp?) get tucked into the
initramfs.

Some design choices would need to be made:

 * would the output of ssss-combine be the LUKS volume master key
   itself?  or would it be a secret that would be unlock a specific
   keyslot?  I'd prefer the latter, as it would make it possible to
   disable a particular SSSS set by removal of the keyslot (otherwise
   you'd need to change the master key).

 * how (and where) would you indicate to the initramfs setup system
   that SSSS is involved?

Sorry that i don't have time to do this myself, i just wanted to put
the idea out there for consideration.  I would be happy to see this
feature integrated, and would be willing to test/review proposed
changes.

    --dkg


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ssss depends on:
ii  libc6                     2.11.2-11      Embedded GNU C Library: Shared lib
ii  libgmp3c2                 2:4.3.2+dfsg-1 Multiprecision arithmetic library

ssss recommends no packages.

ssss suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org