From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id giLQcVXfkMTI for <dm-crypt@saout.de>;
 Mon,  1 Jul 2013 01:57:01 +0200 (CEST)
Received: from v6.tansi.org (unknown [87.118.116.4])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Mon,  1 Jul 2013 01:57:01 +0200 (CEST)
Received: from gatewagner.dyndns.org (84-74-164-92.dclient.hispeed.ch
 [84.74.164.92]) by v6.tansi.org (Postfix) with ESMTPA id B9CF320DC253
 for <dm-crypt@saout.de>; Mon,  1 Jul 2013 01:57:00 +0200 (CEST)
Date: Mon, 1 Jul 2013 01:57:00 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20130630235659.GA4928@tansi.org>
References: <CAH3kUhG+VQwWWt0stV9VTajb1168mZDWqM2bG-b2H4iAkRCuZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAH3kUhG+VQwWWt0stV9VTajb1168mZDWqM2bG-b2H4iAkRCuZQ@mail.gmail.com>
Subject: Re: [dm-crypt] passkey over network
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Sun, Jun 30, 2013 at 07:24:46PM -0300, Roberto Spadim wrote:
> Hi guys, i want to create a map to my crypted disk
> but, instead of putting the passkey every time, or using a pkcs11 (smart
> card), i want to get the passkey from a external server via network
> in other words:
> 
> 1)place a new hard disk
> 2)setup dm-crypt over disk
> 3) mount disk using a external server like "
> https://www.host.com/get_passkey.php?UUID=xxxxx"

That looks overly complicated. Why not use something like

  ssh <user@remote> "cat uuid_file_xxxx" | cryptsetup ...

with a password-less ssh setup. Or improve it, use
the UUID as user-name and make "cat <passwordfile>"
the login-shell. Then you just need
 
  ssh <UUID@remote | cryptswetup 

and users cannot log in, just echo the passphrase.
(For admin purposes you can still log into the remote
server as rtoot and do a su UUID which gives you a non-login
shell.)

This gives you the far better security level of ssh with
two-sided authentication, instead of the basically broken SSL
1-sided authentification with the basically broken PKI and
the risk that anybody that can obtain your UUID or use
a PHP vulnerability, webserver vulnerability or a vulnerability 
in your PHP code can get your passphrase. Also, anybody able to
replace your server (ip spoofing, DNS spoofing, ...) can
inject whatever they like into your client-side script with
the web-solution.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare