Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
User mounted LUKS device
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 134

PostPosted: Sat Dec 28, 2013 7:07 pm    Post subject: User mounted LUKS device Reply with quote

Hi,

I may be a bit greedy here, but this is what I am trying to achieve: similarly to what truecrypt says it does, I want to be able to have an encrypted file that I can format with LUKS with cryptsetup and mount it somewhere in my home dir. This is a simple task with root, but I can't manage to do it with user privileges.

Is there any way of achieving this? Or am I asking too much? cryptsetup ends up failing saying that device-mapper can't be called with a non-root user, and I need to mount/unmount this encrypted device at will.

I've been using truecrypt until now, but I want to ideally use cryptsetup with LUKS. I don't want to use GPG as I find it a bit less secure for just opening an encrypted file, reading/changing it, and then closing it.

Thanks!
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Sat Dec 28, 2013 8:46 pm    Post subject: Reply with quote

Even truecrypt uses sudo to raise the rights.

my script is as following.

Code:
cat /usr/local/bin/open-extern.sh
#!/bin/sh
sudo cryptsetup luksOpen /dev/disk/by-uuid/xxxx extern_crypt && sudo vgchange -ay && sudo mount -t ext4 /dev/extern/data /home/me/extern
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 134

PostPosted: Sun Dec 29, 2013 1:20 am    Post subject: Reply with quote

Thanks - that's what I feared. I'll just use sudo I guess. No encryption for the poor ;-)
Back to top
View user's profile Send private message
Kompi
Apprentice
Apprentice


Joined: 05 Oct 2002
Posts: 252
Location: Germany

PostPosted: Sun Dec 29, 2013 1:01 pm    Post subject: Reply with quote

Don't know if that is what you want, but if you want the encrypted volume always mounted when you are logged in, you may use pam_mount to mount it at login time. Either have the LUKS password the same as you login pw, or you will be asked twice for a password when you login.

See: gentoo-wiki.info: HOWTO_Encrypt_Your_Home_Directory_Using_LUKS_and_pam_mount
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 134

PostPosted: Sun Dec 29, 2013 2:16 pm    Post subject: Reply with quote

Thanks, and not really :-)

OK - I'll expand a bit more on the use case: all I want is to have a volume for a couple of files, which will be password files. I want access to them only when I want to type a password, and I want the underlying OS components to look after me, such as use protected memory, don't leave plain text in any cache, etc..

For the time being, I'll use root privileges.
Back to top
View user's profile Send private message
Kompi
Apprentice
Apprentice


Joined: 05 Oct 2002
Posts: 252
Location: Germany

PostPosted: Sun Dec 29, 2013 3:06 pm    Post subject: Reply with quote

I found this tool that claims it allows mounting without root privilege. I could not figure out that quick how it does that though:

http://cryptmount.sourceforge.net/

there's an ebuild in a layman overlay, here:

http://gpo.zugaina.org/sys-fs/cryptmount


There may be another way to mount encrypted partitions as a user by using a combination of udisks and polkit. The command line tool udisksctl uses polkit to give a user permissions to mount a file system.

You can decrypt and then mount the volume by:

Code:
udisksctl unlock /dev/mapper/<VOLUME>
udisksctl mount /dev/<DM_DEVICE> <MNT_POINT>


With the default polkit config this will prompt for the root password to grant the neccessary permissions to perform this actions via polkit. I guess you would just have to add a policy file to /etc/polkit-1/rules.d/ to grant your user these privileges without root password. (something like is done for mounts here http://wiki.gentoo.org/wiki/Polkit#Rules).


One more off topic suggestion that could accomplish what you want in another way: You may have a look at keepassX, which is a GUI to handle and store passwords in an encrypted file: https://www.keepassx.org/. Should do what you described above. However, would not help if you want access from the console as well.
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 134

PostPosted: Mon Dec 30, 2013 9:51 am    Post subject: Reply with quote

Thanks, Kompi, I'll try to port this as I'd need it in Gentoo and a device with ARM that runs a Linux based on Mer.
Back to top
View user's profile Send private message
mhogomchungu
n00b
n00b


Joined: 18 May 2013
Posts: 19

PostPosted: Sat Jan 25, 2014 1:18 am    Post subject: Reply with quote

There is this project here[1] that will allow you to do what you want.

The default behavior is to create a mount point in "/run/media/private/$USER" but there is a compile time option to create a mount point in user directory.

The program will allow you to open your encrypted volumes from a normal user account using provided CLI tools or,if you prefer,through provided GUI tools.

If you are to try it out,try the git version.Its practically the new version scheduled to be released on the first of next month.


[1] http://code.google.com/p/zulucrypt/
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Sat Jan 25, 2014 1:36 am    Post subject: Reply with quote

is it always the same file? maybe you could script it, chown root:you, and chmod 4750.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum