Re: [dm-crypt] type one password, get many

[Moji <lordmoji@gmail.com>]

My apologizes to Christophe for sending this to the bounce address, I
have recently changed my email client and I am still getting my settings
how I want them.

Ross,

I have a setup like that where my root partition contains a /etc/crypt
file where I keep keys.
After my root partition is decrypted I use the keys in my /etc/crypt
folder to decrypt my home partition. Although you could have it do as
many partitions as you wanted.

I do this in the same part of the init processes that I activate my swap.

I do this mainly because I like having my home directory separate from
my root partition and I don't want to have to enter two passwords in at
once.

The key I use is 1MB generated from /dev/random, it takes awhile to
generate the key but if you want I can send you the really simple script
I use to generate them.

As I use luks I have my password on my home directory in the second
slot, in case my root partition ever became corrupted and I didn't have
access to the key.

Here is the relevant part of my /etc/init.d/localmount, I kept the swap
activation part in just for reference of where I placed the code:

ebegin "Activating encrypted swap"
#added to enable encrypted swap
unset open_loop_dev
open_loop_dev="$(/sbin/losetup -f)"
/sbin/losetup "${open_loop_dev}" /swap.lpb &> /dev/null
/sbin/cryptsetup -c aes-xts-essiv:sha256 -s 512 -h sha512 -d dev/urandom
create swap "${open_loop_dev}" &> /dev/null
/sbin/mkswap /dev/mapper/swap &> /dev/null
/sbin/swapon -a &> /dev/null
unset open_loop_dev
eend $?

#added to enable encrypted home
ebegin "Mounting encrypted home directory"
/sbin/cryptsetup luksOpen /dev/sda4 home --key-file /etc/crypt/home.key
&> /dev/null
/bin/mount /dev/mapper/home /home &> /dev/null
#added to make sure if there is a crash jfs will recover
if [ -z "$(/bin/mount | grep /dev/mapper/home 2> /dev/null )" ]; then
/sbin/fsck.jfs /dev/mapper/home
/bin/mount /dev/mapper/home /home &> /dev/null
fi
if [ -z "$(/bin/mount | grep /dev/mapper/home 2> /dev/null )" ]; then
/sbin/fsck.jfs -afv /dev/mapper/home
/bin/mount /dev/mapper/home /home &> /dev/null
fi
eend $?

Ross Boylan wrote:
> > Someone referred recently to a scenario in which a human would type in
> > the password for the root partition, and then the passwords for the
> > other partitions would come from a file in /etc.
> >
> > Could anyone provide some more details about how that would work, and
> > whether it is advisable?  Clearly someone with access to the live system
> > could get the passwords for all but root, and someone who, e.g., stole
> > the disk, would only need to crach one password.  I think those limits
> > would be acceptable to me; are there others?
> >
> > It is useful for me to have quite a few partitions (I've just discovered
> > I need more so I can control mount options better), and typing in a
> > whole bunch of passwords on boot is pretty tedious.
> >
> > Thanks.
> > Ross Boylan
> >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >



Ross Boylan wrote:
> Someone referred recently to a scenario in which a human would type in
> the password for the root partition, and then the passwords for the
> other partitions would come from a file in /etc.
> 
> Could anyone provide some more details about how that would work, and
> whether it is advisable?  Clearly someone with access to the live system
> could get the passwords for all but root, and someone who, e.g., stole
> the disk, would only need to crach one password.  I think those limits
> would be acceptable to me; are there others?
> 
> It is useful for me to have quite a few partitions (I've just discovered
> I need more so I can control mount options better), and typing in a
> whole bunch of passwords on boot is pretty tedious.
> 
> Thanks.
> Ross Boylan
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>