Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to automagically unlock luks crypted partition?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ernov
n00b
n00b


Joined: 28 May 2010
Posts: 55

PostPosted: Sat Jun 19, 2010 7:51 am    Post subject: How to automagically unlock luks crypted partition? Reply with quote

Hi, I've set up encrypted partition to manage it by LUKS, added to /etc/conf.d/dmcrypt. The correct /dev/mapper file is created OK, dmcrypt starts on boot and asks password to unlock partition. Now I need it to be unlocked automatically at boot by some mechanism.
I've tried pam_mount, as in the doc from wiki, but it doesn't work.

How do you make automatic unlocking partitions on your boxes?
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Jun 19, 2010 8:56 am    Post subject: Reply with quote

do it based on an on-disk key rather than a passphrase. I personally keep my keys on a USB thumb drive (rather, it's a micro-sd in a USB adapter - a micro-sd can be swallowed, implanted under the skin, or crushed, if anyone comes banging on my door!)

http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Further_tweaks_for_USB_keyfile_authentication

works beautifully for me, full volume crypto

Code:

$ sudo mount |grep mapper
/dev/mapper/root on / type ext3 (rw)
/dev/mapper/share on /share type xfs (rw,nodev,logbufs=8)
/dev/mapper/kvm on /kvm type btrfs (rw)
/dev/mapper/btrfsvol on /tmp type btrfs (rw,nodev,noatime,subvol=tmp)
/dev/mapper/btrfsvol on /usr type btrfs (rw,nodev,noatime,subvol=usr,compress)
/dev/mapper/btrfsvol on /var type btrfs (rw,noatime,subvol=var,compress)
/dev/mapper/btrfsvol on /opt type btrfs (rw,noatime,subvol=opt)
/dev/mapper/btrfsvol on /home type btrfs (rw,nosuid,nodev,noatime,subvol=home,compress)

_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
lxg
Veteran
Veteran


Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany

PostPosted: Sat Jun 19, 2010 9:31 am    Post subject: Reply with quote

I agree this is a good setup ... However, I would always recommend to have a passphrase setup as a backup. This is one of the key features of LUKS, having more than one key to the same ressource. Because elsewise, if you when your SD card or USB device dies, your data goes with them.

Therefore: Set up the USB/SD stuff and then immediately add another key slot with a passphrase. Then write the passphrase down, and store it in a *very* safe place. (Or don't write it down at all, and memorize it.)
_________________
lxg.de – codebits and tech talk
Back to top
View user's profile Send private message
ernov
n00b
n00b


Joined: 28 May 2010
Posts: 55

PostPosted: Sat Jun 19, 2010 12:37 pm    Post subject: Reply with quote

I'd rather stay with passphrase(s), so how exactly do you do automatical unlocking of encrypted volume?
Back to top
View user's profile Send private message
lxg
Veteran
Veteran


Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany

PostPosted: Sat Jun 19, 2010 4:43 pm    Post subject: Reply with quote

Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase. ;)
_________________
lxg.de – codebits and tech talk
Back to top
View user's profile Send private message
ernov
n00b
n00b


Joined: 28 May 2010
Posts: 55

PostPosted: Sat Jun 19, 2010 4:59 pm    Post subject: Reply with quote

So what is this all pam_mount about?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16043

PostPosted: Sat Jun 19, 2010 7:53 pm    Post subject: Reply with quote

lxg wrote:
Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase. ;)
Yes and no. To secure the system, it must not be possible for the system to boot and mount the encrypted volumes unattended. Requiring a passphrase satisfies this condition. The idea of pam_mount is that the user's password allows him to login and also to automatically decrypt the key material that protects the encrypted volume. This allows the user to enter one password instead of two: account password and container password. Technically, this means the volume does not mount at boot, but rather mounts when the relevant user logs in.

As I read the documentation, there is no need to involve /etc/conf.d/dmcrypt at all if you want the volume to be managed by pam_mount. ernov, could you post your pam_mount configuration and elaborate on how it does not work as you desire?
Back to top
View user's profile Send private message
ernov
n00b
n00b


Joined: 28 May 2010
Posts: 55

PostPosted: Sat Jun 19, 2010 8:28 pm    Post subject: Reply with quote

Quote:
This allows the user to enter one password instead of two: account password and container password.

Yes! That's what I need. I can't imagine situation when I would need to give different passwords for every volume I'd like to open...

It's the pam_mount conf: http://pastebin.com/E6u4HxSn (alternative link cause pastebin.com seems to malfunction: http://pastebin.pl/25519). I admit I can't understand pam at all. I just want to secure my harddisk in case of stealing and prevent reading of it contents.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum