Ubuntu Feisty 7.04 - Cryptsetup

James Crocker Mon, 02 Jul 2007 02:33:06 -0700

Hello,

I'm trying to communicate with the maintainers of crypsetup for Ubuntu.
If you are not the correct party please direct me to the appropriate
party. Thank you.


With regards to crypsetup for Ubuntu; great stuff. Thanks for all the
efforts in supporting encrypted systems.

I've identified that the current cryptroot scripts are capable of
utilizing keys on a separate storage device via the options 'key' and
'keyscript'. 

I've implemented a Two Form factor system authentication utilizing a USB
CryptKey. Unfortunately, the 'local-top/cryptroot' is unable to process
a keyscript that requires user input and other i/o redirections. 

I struggled back and forth with using the existing infrastructure but
was unable to affect a remedy. In the end I added a switch 'twoform' to
supply via crypttab. 

This additional switch triggers logic which allows for additional user
input from the console to fetch a requested keyfile. 

By adding a new switch I think I've avoided breaking any existing
implementations that rely on key and keyscript.

I've created a community document about Feisty and two form factor key
setup for whole disk encryption:
https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor?highlight=%
28two%29%7C%28form%29

I'm contacting you in hopes of being able to apply these patch changes
to the cryptroot source for cryptsetup.

(The lvm vgchange is due to the fact that vgchange doesn't exist in the
initramfs. But 'lvm' can be called to do the same duty.)

I've attached the patch files for:
/usr/share/initramfs-tools/hooks/cryptroot
/usr/share/initramfs-tools/scripts/local-top/cryptroot

Thank you for your consideration.

Regards,

-James

158a159
>       TWOFORM=0
225a227,230
>                       twoform=*)
>                               OPTIONS="$OPTIONS,$opt"
>                               TWOFORM=1
>                               ;;
236a242,249
> 
>       # If twoform set then it depends on "key" and KEYSCRIPT
>       if [ $TWOFORM -eq 1 ]; then
>               if [ "$key" = "none" ] || [ -z "$KEYSCRIPT" ]; then
>                       echo "cryptsetup: WARNING: target $target uses twoform a
nd depends on key and keyscript, skipped" >&2
>                       return 1
>               fi
>       fi

45a46
>       crypttwoform="" # TwoForm factor
70a72,74
>               twoform=*)
>                       crypttwoform=${x#twoform=}
>                       ;;
92c96
<       if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
---
>       if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
107c111
<       vgchange -ay ${vg}
---
>       lvm vgchange -ay ${vg}
191a196
>       ckscon=y
203c208
<               if [ -n "$cryptkeyscript" ]; then
---
>               if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then
208c213,220
<                       $cryptkeyscript $cryptkey < /dev/console | $cryptcreate 
--key-file=-
---
>                       
>                       if [ -z $crypttwoform ]; then
>                               $cryptkeyscript $cryptkey < /dev/console | 
> $cryptcreate --key-file=-
>                       else
>                               $cryptkeyscript $cryptkey < /dev/console
>                               $cryptcreate 
> --key-file=/mnt/cryptkeys$crypttwoform
>                       fi
> 
214a227,233
> 
>                       if [ -n "$cryptkeyscript" ]; then
>                               
>                               echo -n "Continue using the cryptkeyscript? 
> [y/n]: "
>                               read ckscon < /dev/console
>                       fi
>                       
219a239,242
>               elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e 
> $cryptkey ]; then
>                       # The KEYSCRIPT was called at least once so,
>                       # call the key script again to unmount the usb device
>                       $cryptkeyscript $cryptkey45a46
>       crypttwoform="" # TwoForm factor
70a72,74
>               twoform=*)
>                       crypttwoform=${x#twoform=}
>                       ;;
92c96
<       if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
---
>       if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
107c111
<       vgchange -ay ${vg}
---
>       lvm vgchange -ay ${vg}
191a196
>       ckscon=y
203c208
<               if [ -n "$cryptkeyscript" ]; then
---
>               if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then
208c213,220
<                       $cryptkeyscript $cryptkey < /dev/console | $cryptcreate 
--key-file=-
---
>                       
>                       if [ -z $crypttwoform ]; then
>                               $cryptkeyscript $cryptkey < /dev/console | 
> $cryptcreate --key-file=-
>                       else
>                               $cryptkeyscript $cryptkey < /dev/console
>                               $cryptcreate 
> --key-file=/mnt/cryptkeys$crypttwoform
>                       fi
> 
214a227,233
> 
>                       if [ -n "$cryptkeyscript" ]; then
>                               
>                               echo -n "Continue using the cryptkeyscript? 
> [y/n]: "
>                               read ckscon < /dev/console
>                       fi
>                       
219a239,242
>               elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e 
> $cryptkey ]; then
>                       # The KEYSCRIPT was called at least once so,
>                       # call the key script again to unmount the usb device
>                       $cryptkeyscript $cryptkey

signature.asc
Description: This is a digitally signed message part

-- 
Ubuntu-motu mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu

Ubuntu Feisty 7.04 - Cryptsetup

Reply via email to