* [dm-crypt] Library to do a 'luksOpen' programatically @ 2010-04-07 9:12 Miguel Ángel García Roig 2010-04-07 9:54 ` Milan Broz 0 siblings, 1 reply; 5+ messages in thread From: Miguel Ángel García Roig @ 2010-04-07 9:12 UTC (permalink / raw) To: dm-crypt I'm trying to do a : # cryptsetup luksOpen /dev/hda2 root using a library call or similar. I am not able to call cryptsetup directly due to security reasons. Is there any library to do this ? I have read about the libcryptsetup library, but i can not found it in debian lenny. Thnaks in advance. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Library to do a 'luksOpen' programatically 2010-04-07 9:12 [dm-crypt] Library to do a 'luksOpen' programatically Miguel Ángel García Roig @ 2010-04-07 9:54 ` Milan Broz 2010-04-07 10:05 ` Miguel Ángel García Roig 0 siblings, 1 reply; 5+ messages in thread From: Milan Broz @ 2010-04-07 9:54 UTC (permalink / raw) To: Miguel Ángel García Roig; +Cc: dm-crypt On 04/07/2010 11:12 AM, Miguel Ángel García Roig wrote: > I'm trying to do a : > > # cryptsetup luksOpen /dev/hda2 root > > using a library call or similar. I am not able to call cryptsetup > directly due to security reasons. Which security reasons? > > Is there any library to do this ? I have read about the > libcryptsetup library, but i can not found it in debian lenny. You need cryptsetup 1.1.0, it is in Debian testing/unstable already. Milan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Library to do a 'luksOpen' programatically 2010-04-07 9:54 ` Milan Broz @ 2010-04-07 10:05 ` Miguel Ángel García Roig 2010-04-07 10:17 ` Milan Broz 2010-04-07 11:01 ` Arno Wagner 0 siblings, 2 replies; 5+ messages in thread From: Miguel Ángel García Roig @ 2010-04-07 10:05 UTC (permalink / raw) To: dm-crypt; +Cc: Milan Broz El mié, 07-04-2010 a las 11:54 +0200, Milan Broz escribió: > On 04/07/2010 11:12 AM, Miguel Ángel García Roig wrote: > > I'm trying to do a : > > > > # cryptsetup luksOpen /dev/hda2 root > > > > using a library call or similar. I am not able to call cryptsetup > > directly due to security reasons. > > Which security reasons? If i make a exec() calling the cryptsetup binary, if a user connected to the machine can gain access to root account, he/she could see the command, no ? I haven't physical control to the machine, that's the main problem. I have only access to the server for installation, and then i have to send it to my client. > > > > > Is there any library to do this ? I have read about the > > libcryptsetup library, but i can not found it in debian lenny. > > You need cryptsetup 1.1.0, it is in Debian testing/unstable already. > > Milan Thanks, i'll try to update to testing. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Library to do a 'luksOpen' programatically 2010-04-07 10:05 ` Miguel Ángel García Roig @ 2010-04-07 10:17 ` Milan Broz 2010-04-07 11:01 ` Arno Wagner 1 sibling, 0 replies; 5+ messages in thread From: Milan Broz @ 2010-04-07 10:17 UTC (permalink / raw) To: Miguel Ángel García Roig; +Cc: dm-crypt On 04/07/2010 12:05 PM, Miguel Ángel García Roig wrote: > I haven't physical control to the machine, that's the main problem. Then there are many others ways how a local attacker can break it anyway. And if anyone have root account, he can see the encryption key when device is active. Milan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Library to do a 'luksOpen' programatically 2010-04-07 10:05 ` Miguel Ángel García Roig 2010-04-07 10:17 ` Milan Broz @ 2010-04-07 11:01 ` Arno Wagner 1 sibling, 0 replies; 5+ messages in thread From: Arno Wagner @ 2010-04-07 11:01 UTC (permalink / raw) To: dm-crypt On Wed, Apr 07, 2010 at 12:05:43PM +0200, Miguel ?ngel Garc?a Roig wrote: > El mi??, 07-04-2010 a las 11:54 +0200, Milan Broz escribi??: > > On 04/07/2010 11:12 AM, Miguel ??ngel Garc??a Roig wrote: > > > I'm trying to do a : > > > > > > # cryptsetup luksOpen /dev/hda2 root > > > > > > using a library call or similar. I am not able to call cryptsetup > > > directly due to security reasons. > > > > Which security reasons? > > If i make a exec() calling the cryptsetup binary, if a user > connected to the machine can gain access to root account, he/she > could see the command, no ? Indeed. As he/she can see a full memory dump, access the kernel space, get the crypto-keys, etc. This is not a problem of using the command. It is a problem of a user getting root access. I think your security analysis is flawed. > I haven't physical control to the machine, that's the main problem. Why is that a problem? > I have only access to the server for installation, and then i have to > send it to my client. Still no reason to not use cryptsetup. The only reason I see for using the library is convenience or integration, but security-wise the library is not better or worse than the stand-alone executable. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-04-07 10:59 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-04-07 9:12 [dm-crypt] Library to do a 'luksOpen' programatically Miguel Ángel García Roig 2010-04-07 9:54 ` Milan Broz 2010-04-07 10:05 ` Miguel Ángel García Roig 2010-04-07 10:17 ` Milan Broz 2010-04-07 11:01 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.