Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Open second LUKS partition with derived key
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cypher_err
n00b
n00b


Joined: 12 Mar 2015
Posts: 7

PostPosted: Fri Mar 13, 2015 7:31 pm    Post subject: Open second LUKS partition with derived key Reply with quote

Is it possible to open a second LUKS partition with a key which is derived from the first partiton which in turn is decrypted by entering a password?

I know how to do it with systems which use /etc/crypttab but since I use OpenRC I don't know if it is possible.

Other distros can derive a key from an decrypted partiton with the command
Code:

/lib/cryptsetup/scripts/decrypt_derived


Last edited by cypher_err on Fri Mar 13, 2015 10:12 pm; edited 1 time in total
Back to top
View user's profile Send private message
tclover
Guru
Guru


Joined: 10 Apr 2011
Posts: 516

PostPosted: Fri Mar 13, 2015 9:31 pm    Post subject: Reply with quote

Err, you mean using a keyfile crypted with dm-crypt LUKS? Of course, you can. It's described over there dm-crypt LUKS. If used with rootfs... you should be using a proper initramfs (follow the link on my sig.) I am not sure dmcrypt init script manage that kind of keyfile although it des support GnuPG crypted keyfile. But you could hack the init script... it's a little complicated at first sight--this is a warning for an init script noob--but pretty doable quickly.
_________________
home/:mkinitramfs-ll/:supervision/:e-gtk-theme/:overlay/
Back to top
View user's profile Send private message
inf1nity
n00b
n00b


Joined: 05 Apr 2015
Posts: 1

PostPosted: Sun Apr 05, 2015 3:30 pm    Post subject: Reply with quote

Hi tclover,

I think cypher_err wanted to use a derived key from a per-password unlocked luks device so that the remaining devices wouldn't have to be manually opened.

https://help.ubuntu.com/community/encryptedZfs

for example uses the script /lib/cryptsetup/scripts/decrypt_derived, see also http://apt-browse.org/browse/ubuntu/trusty/main/amd64/cryptsetup/2%3A1.6.1-1ubuntu1/file/lib/cryptsetup/scripts/decrypt_derived , to accomplish this. They then have something like a dmcrypt file which lists the devices to be treated by the initramfs:

target=vault_crypt,source=UUID=<uuid-/dev/sd?-vault1_crypt-crypt_LUKS-no-quotes>,keyscript=/scripts/luks/get.root_crypt.decrypt_derived

While genkernel and mkinitramfs-ll support keyfiles, as far as I could find out, I am missing something like this.

The reason why I write in here and hope you can help me is, that I intend to accomplish the following setup:

/dev/sda1 luks & /dev/sdb1 luks -> zfs mirror -> boot ROOT and only want to enter the password once at boot-time.

Should you be the author of mkinitramfs-ll, could you please tell me how this would be possible?

Thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum