From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yD2I3pEd3cQ2 for ; Mon, 5 Mar 2012 13:30:57 +0100 (CET) Received: from server01.itexpert.bg (mail.voice-nt.com [94.155.49.162]) by mail.saout.de (Postfix) with ESMTP for ; Mon, 5 Mar 2012 13:30:57 +0100 (CET) Received: from localhost (unknown [127.0.0.1]) by server01.itexpert.bg (Postfix) with ESMTP id 657ED6B66F9 for ; Mon, 5 Mar 2012 12:23:29 +0000 (UTC) Received: from server01.itexpert.bg ([127.0.0.1]) by localhost (server01.itexpert.bg [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8geIPBDIuXSm for ; Mon, 5 Mar 2012 14:23:28 +0200 (EET) Received: from [192.168.0.176] (gate.stanga.net [195.34.122.3]) (Authenticated sender: martin.dimitrov@mafiainc.net) by server01.itexpert.bg (Postfix) with ESMTPSA id 559A06B66F8 for ; Mon, 5 Mar 2012 14:23:28 +0200 (EET) Message-ID: <4F54B02F.7020304@mafiainc.net> Date: Mon, 05 Mar 2012 14:23:11 +0200 From: Martian MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------090803060106070100040206" Subject: [dm-crypt] Using passdev and decrypt_derived together? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de This is a multi-part message in MIME format. --------------090803060106070100040206 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi, Recently I setup my Debian wheezy working laptop to have /home partition encrypted using cryptsetup and passdev script to load the key from a SD card inserted to my laptop's SD slot. In additional I have setup my swap partition encrypted, because I red this is a highly recommended for increased security. So I have also root /, /tmp, /usr and /var partitions that I decided to left unencrypted. In order to have hibernate functionality I am trying to achieve automatic decryption of swap partition using decrypt_derived script. This means I want to have /home decrypted first by passdev (this I configured and working fine) and then swap decrypted using decrypt_derived from /home (this is not working in initrd for some reason) Here is the configuration taken from initrd: target=sda9_crypt,source=UUID=d8f706c5-5599-4b86-b8d4-abe55510c1c3,key=/dev/mmcblk0p1:/keys/sda9.luks.key,keyscript=/lib/cryptsetup/scripts/passdev target=sda7_crypt,source=UUID=cbfb7208-8a2a-498a-87bd-ba7370a26731,key=sda9_crypt,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived I enabled debug on initramfs from grub bootloader and reviewed the file /run/initramfs/initramfs.debug after boot process completed: ... cut ... Begin: Running /scripts/local-top ... + run_scripts /scripts/local-top + initdir=/scripts/local-top + [ ! -d /scripts/local-top ] + [ -f /scripts/local-top/ORDER ] + . /scripts/local-top/ORDER + /scripts/local-top/cryptopensc + [ -e /conf/param.conf ] + /scripts/local-top/cryptroot *cryptsetup: sda9_crypt set up successfully <- */home partition decrypted successfully *No key available with this passphrase. <- I assume this is related to swap sda7_crypt cryptsetup: cryptsetup failed, bad password or options?* *<-* why? No key available with this passphrase. cryptsetup: cryptsetup failed, bad password or options? No key available with this passphrase. cryptsetup: cryptsetup failed, bad password or options? + [ -e /conf/param.conf ] ... cut ... It seems like what happening later when initrd is completed and /sbin/init is executed is that swap partition is mounted successfully after all, but since this is not happening inside initrd the hibernate feature is not working. This is how it looks like after boot finished: *# mount* udev on /dev type devtmpfs (rw,relatime,size=2017156k,nr_inodes=213275,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=404528k,mode=755) /dev/disk/by-uuid/c4b2d6d6-048d-43e4-9309-0a73aa7fe26c on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,stripe=4,data=ordered) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=809056k) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,relatime,size=809056k) */dev/mapper/sda9_crypt on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)* /dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,stripe=4,data=ordered) /dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered) /dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime) *# swapon -s* Filename Type Size Used Priority */dev/mapper/sda7_crypt partition 8182780 16 -1* Can anybody help either with suggestion why this isn't working or any alternative approach? Is it insecure to use the different keys for both /home and swap and to use passdev for both for example? Or may be left swap unencrypted after all? (what exactly is compromised by this way?) Thanks in advance! Cheers, Martin --------------090803060106070100040206 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 8bit Hi,

Recently I setup my Debian wheezy working laptop to have /home partition encrypted using cryptsetup and passdev script to load the key from a SD card inserted to my laptop's SD slot. In additional I have setup my swap partition encrypted, because I red this is a highly recommended for increased security.
So I have also root /, /tmp, /usr and /var partitions that I decided to left unencrypted.

In order to have hibernate functionality I am trying to achieve automatic decryption of swap partition using decrypt_derived script. This means I want to have /home decrypted first by passdev (this I configured and working fine) and then swap decrypted using decrypt_derived from /home (this is not working in initrd for some reason)

Here is the configuration taken from initrd:
target=sda9_crypt,source=UUID=d8f706c5-5599-4b86-b8d4-abe55510c1c3,key=/dev/mmcblk0p1:/keys/sda9.luks.key,keyscript=/lib/cryptsetup/scripts/passdev
target=sda7_crypt,source=UUID=cbfb7208-8a2a-498a-87bd-ba7370a26731,key=sda9_crypt,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived

I enabled debug on initramfs from grub bootloader and reviewed the file /run/initramfs/initramfs.debug after boot process completed:
... cut ...
Begin: Running /scripts/local-top ... + run_scripts /scripts/local-top
+ initdir=/scripts/local-top
+ [ ! -d /scripts/local-top ]
+ [ -f /scripts/local-top/ORDER ]
+ . /scripts/local-top/ORDER
+ /scripts/local-top/cryptopensc
+ [ -e /conf/param.conf ]
+ /scripts/local-top/cryptroot
cryptsetup: sda9_crypt set up successfully                    <- /home partition decrypted successfully
No key available with this passphrase.                        <- I assume this is related to swap sda7_crypt
cryptsetup: cryptsetup failed, bad password or options?       <- why?
No key available with this passphrase.
cryptsetup: cryptsetup failed, bad password or options?
No key available with this passphrase.
cryptsetup: cryptsetup failed, bad password or options?
+ [ -e /conf/param.conf ]
... cut ...

It seems like what happening later when initrd is completed and /sbin/init is executed is that swap partition is mounted successfully after all, but since this is not happening inside initrd the hibernate feature is not working.

This is how it looks like after boot finished:
# mount
udev on /dev type devtmpfs (rw,relatime,size=2017156k,nr_inodes=213275,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=404528k,mode=755)
/dev/disk/by-uuid/c4b2d6d6-048d-43e4-9309-0a73aa7fe26c on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,stripe=4,data=ordered)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=809056k)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,relatime,size=809056k)
/dev/mapper/sda9_crypt on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,stripe=4,data=ordered)
/dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)

# swapon -s
Filename                Type        Size    Used    Priority
/dev/mapper/sda7_crypt                  partition    8182780    16    -1

Can anybody help either with suggestion why this isn't working or any alternative approach? Is it insecure to use the different keys for both /home and swap and to use passdev for both for example? Or may be left swap unencrypted after all? (what exactly is compromised by this way?)

Thanks in advance!

Cheers,
Martin
--------------090803060106070100040206--