Here is a small patchset which makes it possible to use gpg for mounting dm-crypt devices. The keystring is entered via "echo" so it would be theoretically possible to watch the key in the process-list. But this should not be a real problem, because it would be just used while booting and there is no chance of logging in in this time. $ diff -u checkfs.old checkfs --- checkfs.old 2004-12-26 00:30:46.033791712 +0100 +++ checkfs 2004-12-26 01:32:04.088238520 +0100 @@ -215,7 +215,7 @@ # here, make sure to change it there also! dm-crypt-start() { local cryptfs_status=0 - local mountline mount swap options pre_mount post_mount source + local mountline mount swap options pre_mount post_mount source key if [ -f /etc/conf.d/cryptfs ] && [ -x /bin/cryptsetup ]; then ebegin "Setting up dm-crypt mappings" @@ -231,10 +231,10 @@ dm-crypt-execute # Prepare for the next mount/swap by resetting variables - unset mount swap options pre_mount post_mount source + unset mount swap options pre_mount post_mount source key ;; - options=*|pre_mount=*|post_mount=*|source=*) + options=*|pre_mount=*|post_mount=*|source=*|key=*) if [[ -z ${mount} && -z ${swap} ]]; then ewarn "Ignoring setting outside mount/swap section: ${mountline}" continue @@ -283,8 +283,25 @@ fi ebegin "dm-crypt map ${target}" - /bin/cryptsetup ${options} create ${target} ${source} >/dev/console </dev/console - eend $? "failure running cryptsetup" + if [[ -z ${key} ]]; then + /bin/cryptsetup ${options} create ${target} ${source} >/dev/console </dev/console + eend $? "failure running cryptsetup" + else + if [ -e "/usr/bin/gpg" ]; then + retval=1 + while [ $retval -gt 0 ] ; do + keystring=`gpg --quiet -d ${key} 2>/dev/null </dev/console` + if [ -z ${keystring} ]; then + retval=5 + else + echo ${keystring} | /bin/cryptsetup ${options} create ${target} ${source} + retval=$? + fi + done + else + einfo "You have to install app-crypt/gpg first" + fi + fi if [[ $? != 0 ]]; then cryptfs_status=1 else $ diff -u localmount.old localmount --- localmount.old 2004-12-26 01:38:43.072049232 +0100 +++ localmount 2004-12-26 01:39:45.331584344 +0100 @@ -49,7 +49,7 @@ # here, make sure to change it there also! dm-crypt-start() { local cryptfs_status=0 - local mountline mount swap options pre_mount post_mount source + local mountline mount swap options pre_mount post_mount source key if [ -f /etc/conf.d/cryptfs ] && [ -x /bin/cryptsetup ]; then ebegin "Running post_mount commands for dm-crypt" @@ -65,10 +65,10 @@ dm-crypt-execute # Prepare for the next mount/swap by resetting variables - unset mount swap options pre_mount post_mount source + unset mount swap options pre_mount post_mount source key ;; - options=*|pre_mount=*|post_mount=*|source=*) + options=*|pre_mount=*|post_mount=*|source=*|key=*) if [[ -z ${mount} && -z ${swap} ]]; then ewarn "Ignoring setting outside mount/swap section: ${mountline}" continue
method,tigger: please review
Created attachment 47063 [details, diff] Patch for /etc/init.d/{checkfs,localmount} Updated version. Fixed the problem with echoing ${keystring} and some quoting problems related to keys containing blanks or to binary keys.
btw: an example how to use the new config-option follows there: $ cat /etc/conf.d/cryptfs mount=crypt-home source=/dev/vg/home key=/root/home.key.asc options='-c twofish -h plain'
Looks good to me. Nice idea :)
Comment on attachment 47063 [details, diff] Patch for /etc/init.d/{checkfs,localmount} Patch is obsolete
Created attachment 47473 [details, diff] /etc/init.d/{checkfs,localmount} New version. Includes support for gpg_options, which makes it possible to specify the options, gpg should use. This enhancement was reviewed with tigger^ in IRC.
Comment on attachment 47473 [details, diff] /etc/init.d/{checkfs,localmount} sorry, overhasty post. Overwrites the options for cryptsetup
Created attachment 47474 [details, diff] /etc/init.d/{checkfs,localmount} Fix the issue of overwriting crypsetup-options ($options). Sorry!
This looks sane to me. *stamp of approval*
now in cvs, thanks guys
Maybe it would be a good idea to mention the new options in the conf.d-skel. btw: thanks for adding!
Created attachment 50681 [details, diff] Patch for the patch. Bugfix for gpg_options I detected that the default-value of gpg_options could never be set because this routine must take place in the "if [[ -n ${mount} ]]"-Block because otherwise it would never be executed and leads to bugs.
As a result of the patch which is explained above, I'm forced to reopen the bug. Sorry!
added patch to cvs