Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Storing luks passphrase in a variable during early boot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bernhardd
n00b
n00b


Joined: 31 Aug 2012
Posts: 8

PostPosted: Fri Aug 31, 2012 7:57 pm    Post subject: Storing luks passphrase in a variable during early boot Reply with quote

Hi,

I have two luks partitions for root and swap with the same passphrase. Is it unsafe to read the passphrase into a variable and pipe it to cryptsetup in the initramfs init script:

Code:

#!/bin/busybox sh

KMAP=binay keymap file
CRYPT_ROOT_UUID=uuid of the root partition
CRYPT_SWAP_UUID=uuid of the swap partition

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

loadkmap < /etc/$KMAP

read -s PASSP
echo "$PASSP" | /sbin/cryptsetup luksOpen $(findfs UUID=$CRYPT_ROOT_UUID) root
echo "$PASSP" | /sbin/cryptsetup luksOpen $(findfs UUID=$CRYPT_SWAP_UUID) swap

SWAP_MAJ=$(stat -c 0x%t /dev/mapper/swap)
SWAP_MIN=$(stat -c 0x%T /dev/mapper/swap)
echo $((SWAP_MAJ)):$((SWAP_MIN)) > /sys/power/resume

mount -o ro /dev/mapper/root /mnt/root

umount /proc
umount /sys
umount /dev

exec switch_root /mnt/root /sbin/init


What happens to PASSP after the switch to real root?
Back to top
View user's profile Send private message
cach0rr0
Moderator
Moderator


Joined: 13 Nov 2008
Posts: 4121
Location: Houston, Republic of Texas

PostPosted: Fri Aug 31, 2012 8:38 pm    Post subject: Reply with quote

it should not be unsafe to do this
a keyfile store in memory is a keyfile stored in memory, whether it's before or after you switch_root

doing this doesnt open you up to any *new* attacks, but there still exists the possibility of men i black suits taking something really cold to your memory sticks, dumping them, and analyzing the dump for your cleartext key at their leisure

protecting against that requires something like TRESOR, but I'm not terribly convinced I trust TRESOR yet.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
bernhardd
n00b
n00b


Joined: 31 Aug 2012
Posts: 8

PostPosted: Fri Aug 31, 2012 9:59 pm    Post subject: Reply with quote

Thanks for your help cach0rr0. If I get you right the passphrase will stay in memory after early boot, but won't be accessbile through PASSP from inside the booted OS. Nor will it find its way into the OS by logging or something like that.
Back to top
View user's profile Send private message
cach0rr0
Moderator
Moderator


Joined: 13 Nov 2008
Posts: 4121
Location: Houston, Republic of Texas

PostPosted: Fri Aug 31, 2012 11:13 pm    Post subject: Reply with quote

bernhardd wrote:
Thanks for your help cach0rr0. If I get you right the passphrase will stay in memory after early boot, but won't be accessbile through PASSP from inside the booted OS. Nor will it find its way into the OS by logging or something like that.


if you were to pass the variable to ${PASSP} to /sbin/init in your switch_root statement, it would be available/visible to the OS
otherwise, it will not.

again though, it doesn't make a ton of difference as far as the recoverability of the key goes.
the key is still going to be cleartext in memory, whether it's the initramfs storing it as a variable, or the OS storing it in memory after switch_root

so in either case, if someone can read your memory, they can read your key.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
bernhardd
n00b
n00b


Joined: 31 Aug 2012
Posts: 8

PostPosted: Sat Sep 01, 2012 8:16 am    Post subject: Reply with quote

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum