View previous topic :: View next topic |
Author |
Message |
gabrielg Tux's lil' helper
Joined: 16 Nov 2012 Posts: 134
|
Posted: Sat Dec 28, 2013 7:07 pm Post subject: User mounted LUKS device |
|
|
Hi,
I may be a bit greedy here, but this is what I am trying to achieve: similarly to what truecrypt says it does, I want to be able to have an encrypted file that I can format with LUKS with cryptsetup and mount it somewhere in my home dir. This is a simple task with root, but I can't manage to do it with user privileges.
Is there any way of achieving this? Or am I asking too much? cryptsetup ends up failing saying that device-mapper can't be called with a non-root user, and I need to mount/unmount this encrypted device at will.
I've been using truecrypt until now, but I want to ideally use cryptsetup with LUKS. I don't want to use GPG as I find it a bit less secure for just opening an encrypted file, reading/changing it, and then closing it.
Thanks! |
|
Back to top |
|
|
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
Posted: Sat Dec 28, 2013 8:46 pm Post subject: |
|
|
Even truecrypt uses sudo to raise the rights.
my script is as following.
Code: | cat /usr/local/bin/open-extern.sh
#!/bin/sh
sudo cryptsetup luksOpen /dev/disk/by-uuid/xxxx extern_crypt && sudo vgchange -ay && sudo mount -t ext4 /dev/extern/data /home/me/extern
|
|
|
Back to top |
|
|
gabrielg Tux's lil' helper
Joined: 16 Nov 2012 Posts: 134
|
Posted: Sun Dec 29, 2013 1:20 am Post subject: |
|
|
Thanks - that's what I feared. I'll just use sudo I guess. No encryption for the poor |
|
Back to top |
|
|
Kompi Apprentice
Joined: 05 Oct 2002 Posts: 252 Location: Germany
|
Posted: Sun Dec 29, 2013 1:01 pm Post subject: |
|
|
Don't know if that is what you want, but if you want the encrypted volume always mounted when you are logged in, you may use pam_mount to mount it at login time. Either have the LUKS password the same as you login pw, or you will be asked twice for a password when you login.
See: gentoo-wiki.info: HOWTO_Encrypt_Your_Home_Directory_Using_LUKS_and_pam_mount |
|
Back to top |
|
|
gabrielg Tux's lil' helper
Joined: 16 Nov 2012 Posts: 134
|
Posted: Sun Dec 29, 2013 2:16 pm Post subject: |
|
|
Thanks, and not really
OK - I'll expand a bit more on the use case: all I want is to have a volume for a couple of files, which will be password files. I want access to them only when I want to type a password, and I want the underlying OS components to look after me, such as use protected memory, don't leave plain text in any cache, etc..
For the time being, I'll use root privileges. |
|
Back to top |
|
|
Kompi Apprentice
Joined: 05 Oct 2002 Posts: 252 Location: Germany
|
Posted: Sun Dec 29, 2013 3:06 pm Post subject: |
|
|
I found this tool that claims it allows mounting without root privilege. I could not figure out that quick how it does that though:
http://cryptmount.sourceforge.net/
there's an ebuild in a layman overlay, here:
http://gpo.zugaina.org/sys-fs/cryptmount
There may be another way to mount encrypted partitions as a user by using a combination of udisks and polkit. The command line tool udisksctl uses polkit to give a user permissions to mount a file system.
You can decrypt and then mount the volume by:
Code: | udisksctl unlock /dev/mapper/<VOLUME>
udisksctl mount /dev/<DM_DEVICE> <MNT_POINT> |
With the default polkit config this will prompt for the root password to grant the neccessary permissions to perform this actions via polkit. I guess you would just have to add a policy file to /etc/polkit-1/rules.d/ to grant your user these privileges without root password. (something like is done for mounts here http://wiki.gentoo.org/wiki/Polkit#Rules).
One more off topic suggestion that could accomplish what you want in another way: You may have a look at keepassX, which is a GUI to handle and store passwords in an encrypted file: https://www.keepassx.org/. Should do what you described above. However, would not help if you want access from the console as well. |
|
Back to top |
|
|
gabrielg Tux's lil' helper
Joined: 16 Nov 2012 Posts: 134
|
Posted: Mon Dec 30, 2013 9:51 am Post subject: |
|
|
Thanks, Kompi, I'll try to port this as I'd need it in Gentoo and a device with ARM that runs a Linux based on Mer. |
|
Back to top |
|
|
mhogomchungu n00b
Joined: 18 May 2013 Posts: 19
|
Posted: Sat Jan 25, 2014 1:18 am Post subject: |
|
|
There is this project here[1] that will allow you to do what you want.
The default behavior is to create a mount point in "/run/media/private/$USER" but there is a compile time option to create a mount point in user directory.
The program will allow you to open your encrypted volumes from a normal user account using provided CLI tools or,if you prefer,through provided GUI tools.
If you are to try it out,try the git version.Its practically the new version scheduled to be released on the first of next month.
[1] http://code.google.com/p/zulucrypt/ |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Sat Jan 25, 2014 1:36 am Post subject: |
|
|
is it always the same file? maybe you could script it, chown root:you, and chmod 4750. |
|
Back to top |
|
|
|