Re: udisksctl unlock parameter for keyfiles
Thanks for the discussion so far. > However, the worrying part here is that in order to do this > noninteractively, you need to store the cleartext passphrase at a > place where the cron job can read it. What's the point of encrypting > your disks when the password is on a (proverbial) sticker right next > to it? Multiple reasons can exist for this to be fine. For example, the keyfile (not necessarily a passphrase) might be on a USB stick plugged in and the cron job only succeeds when the person is present, the keyfile itself might be on an encrypted disk and can't easily be taken, or it simply doesn't matter that much because it's not the system that needs protection but the external (removable) drive. Anyways, it seems that udisksctl doesn't support this feature. Is it difficult to mount an encrypted drive through dbus-send? It seems that there is an awful lot of details in the parameters that need to be just right. Sebastian ___ devkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/devkit-devel
Re: udisksctl unlock parameter for keyfiles
Hello Sebastian, Sebastian Fischmeister [2012-09-12 9:32 -0400]: > Anyways, it seems that udisksctl doesn't support this feature. Right, it always reads passphrases from the terminal. > Is it difficult to mount an encrypted drive through dbus-send? It > seems that there is an awful lot of details in the parameters that > need to be just right. In that case it seems easier to use libudisks, possibly from introspection. udisks' test suite unlocks/mounts encrypted devices from Python: http://cgit.freedesktop.org/udisks/tree/src/tests/integration-test#n1096 Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ devkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/devkit-devel
Re: udisksctl unlock parameter for keyfiles
Hi, On Wed, Sep 12, 2012 at 10:09 AM, Martin Pitt wrote: >> Is it difficult to mount an encrypted drive through dbus-send? It >> seems that there is an awful lot of details in the parameters that >> need to be just right. > > In that case it seems easier to use libudisks, possibly from > introspection. udisks' test suite unlocks/mounts encrypted devices > from Python: > > http://cgit.freedesktop.org/udisks/tree/src/tests/integration-test#n1096 We currently only support passphrases, not keyfiles in the Encrypted.Unlock() D-Bus method, see http://udisks.freedesktop.org/docs/latest/gdbus-org.freedesktop.UDisks2.Encrypted.html#gdbus-method-org-freedesktop-UDisks2-Encrypted.Unlock However, I'm OK with supporting keyfiles - the way it should work is by introducing something like encrypted.keyfile_contents of type 'ay' (binary blob) in the @options parameter. If we do this we should also just teach udisksctl(1) about it. Down the road we could even teach the desktop stack about it so you can pick the keyfile dialogs like this (getting it past the GNOME designers might be harder though) http://people.freedesktop.org/~david/gnome-3-6-unlock-luks.png Sebastian: please file a bug at https://bugs.freedesktop.org/enter_bug.cgi?product=udisks with a reference to this thread and we can take it from there - thanks! David ___ devkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/devkit-devel
Re: udisksctl unlock parameter for keyfiles
Hi, On Tue, Sep 11, 2012 at 3:17 PM, Sebastian Fischmeister wrote: > Cryptsetup requires root access and I don't want that for my backup > mechanism. Also I don't want to call sudo in a cron job. The encrypted > drive should be mountable by a regular user (e.g., automounting an > encrypted usb stick every 10 min and copy something onto it; I don't > want to keep the stick mounted). For the record, you can implement what you want with sudo(8) or pkexec(1) in a perfectly safe way using a wrapper script. With sudo(8) you'd just add an entry to /etc/sudoers (or drop a file in /etc/sudoers.d) - with pkexec(1), you'd define a polkit action for the wrapper script and write a two-line authorization rule to grant access to your user. The wrapper script would be really simple - just find the device, unlock it, mount it, do the backup... then unmount, unlock, eject or something like this. The way my personal backup system works is this: - I have an eSATA enclosure with 5 x 2TB disks - the five disks are in a RAID-5 using Linux Software RAID (MD-RAID) - I have configuration for the array in /etc/mdadm.conf - so the raid array is assembled when I hotplug the enclosure - The RAID-5 array contains a single LUKS device - I have configuration in /etc/crypttab - with a passphrase-file pointing to /etc/luks/ - (which is not world-readable, obviously) - systemd unlocks the LUKS device with it appears (because option 'auto' is used) - The filesystem on the LUKS device is reference in /etc/fstab to mount it at /mnt/beta - systemd automounts the filesystem when it appears (because option 'auto' is used) - Right now I just run /mnt/beta/do-backup.sh from a terminal - but I could easily have a cronjob - or a autorun.sh file to make the desktop prompt me to do the backup Notably, udisks/gnome-disks supports editing fstab and crypttab files, see http://davidz25.blogspot.com/2012/03/simpler-faster-better.html and in GNOME 3.8 / Fedora 19, we'll also support the mdadm.conf / MD-RAID stuff, see https://plus.google.com/u/0/110773474140772402317/posts/DVPpufUA9ur http://people.freedesktop.org/~david/gnome-disks-mdraid-20120911-2.png for work in progress. Anyway, my point is this - the core OS already contains all the bells and whistles you need to do this. David ___ devkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/devkit-devel
Re: udisksctl unlock parameter for keyfiles
On Tue, Sep 11, 2012 at 03:17:47PM -0400, Sebastian Fischmeister wrote: > Cryptsetup requires root access and I don't want that for my backup > mechanism. Also I don't want to call sudo in a cron job. The encrypted > drive should be mountable by a regular user (e.g., automounting an > encrypted usb stick every 10 min and copy something onto it; I don't > want to keep the stick mounted). If you have more trust into a suid binary you can try cryptmount. I personally use a combination of: udisks-glue + ~/.udisks-glue.conf + cryptmount + /etc/cryptmount/cmtab It's flexible enough to be fed with a passphrase or a keyfile, interactively or not. good luck ___ devkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/devkit-devel
